Vesti

stefannn · Građanin

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:55:29, on 24.11.2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stefan\Desktop\My City Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AFAF8314-45C9-4EC5-9317-A9C24E01D0AC} - C:\WINDOWS\system32\byXOghFY.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {FD70B2B4-AB25-429E-956A-B83A67243900} - C:\WINDOWS\system32\urqOGaBT.dll (file missing)
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [98c117fb] rundll32.exe "C:\WINDOWS\system32\gbtixhpl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB1E1F62-F0A8-4A55-B2F3-DDB50197BA0B}: NameServer = 194.247.192.33 194.247.192.1
O20 - Winlogon Notify: byXOghFY - C:\WINDOWS\SYSTEM32\byXOghFY.dll
O20 - Winlogon Notify: wingdm32 - C:\WINDOWS\SYSTEM32\wingdm32.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5497 bytes

Piksi · Elitni građanin

Pozdrav...

Privremeno isključi ESS prema uputstvu sa sledeće slike ->

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

stefannn · Građanin

Evo log-a:

ComboFix 08-10-04.07 - Stefan 2008-11-24 21:27:45.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.413 [GMT 1:00]
Running from: D:\Stef4n\za malware\ComboFix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.

2008-11-23 21:00 . 2008-11-23 21:00 1,614,583 --ahs---- C:\WINDOWS\system32\lphxitbg.ini
2008-11-23 20:59 . 2008-11-24 17:01 298,462 --ahs---- C:\WINDOWS\system32\TBaGOqru.ini
2008-11-23 20:59 . 2008-11-24 16:58 298,427 --ahs---- C:\WINDOWS\system32\TBaGOqru.ini2
2008-11-23 20:53 . 2008-11-23 20:53 36,864 --------- C:\WINDOWS\system32\wingdm32.dll
2008-11-22 12:29 . 2008-11-23 20:45 <DIR> d-------- C:\Program Files\mIRC
2008-11-22 12:29 . 2008-11-23 21:57 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\mIRC
2008-11-18 19:03 . 2005-05-02 05:10 68,096 --a------ C:\WINDOWS\system32\agrsmdel.exe
2008-11-18 19:01 . 2008-11-18 19:03 <DIR> d-------- C:\WINDOWS\Options
2008-11-18 19:01 . 2006-04-19 16:50 788,224 --a------ C:\WINDOWS\system32\drivers\BisonCam.sys
2008-11-18 19:01 . 2005-01-14 13:47 180,224 --a------ C:\WINDOWS\system\StillDrv.dll
2008-11-18 19:01 . 2006-03-07 16:26 126,976 --a------ C:\WINDOWS\system\BisonCam.dll
2008-11-18 19:01 . 2006-03-07 16:26 90,112 --a------ C:\WINDOWS\system\BisonVfw.dll
2008-11-18 19:01 . 2006-03-02 14:41 77,942 --a------ C:\WINDOWS\system32\BisonRem.dll
2008-11-18 19:01 . 2003-09-22 13:49 15,190 --a------ C:\WINDOWS\M2000Twn.ini
2008-11-18 19:01 . 2003-09-22 14:36 13,448 --a------ C:\WINDOWS\M2000Twn.src
2008-11-18 19:01 . 2005-12-05 12:08 2,264 --a------ C:\WINDOWS\system\S20H0220.csr
2008-11-18 19:01 . 2005-12-05 12:08 2,264 --a------ C:\WINDOWS\system\S20F0220.csr
2008-11-17 20:36 . 2007-08-02 22:09 5,624,832 --a------ C:\WINDOWS\system\DriveIcon.dll
2008-11-17 20:36 . 2007-09-18 15:08 44,032 --a------ C:\WINDOWS\system32\drivers\RTSTOR.sys
2008-11-17 20:36 . 2007-09-27 15:12 38,660 --a------ C:\WINDOWS\system\sd.ico
2008-11-17 20:36 . 2007-09-27 15:04 37,300 --a------ C:\WINDOWS\system\cf.ico
2008-11-17 20:36 . 2007-09-27 15:17 37,041 --a------ C:\WINDOWS\system\sm.ico
2008-11-17 20:36 . 2007-09-27 15:32 34,530 --a------ C:\WINDOWS\system\ms.ico
2008-11-17 20:36 . 2004-06-30 16:24 5,430 --a------ C:\WINDOWS\system\MyMulti.ico
2008-11-16 19:58 . 2005-04-25 10:43 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys
2008-11-16 19:58 . 2004-04-30 09:33 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys
2008-11-16 19:57 . 2008-11-16 19:57 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-11-15 19:08 . 2008-11-15 19:08 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-11-14 18:57 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-11-13 16:35 . 2008-11-13 16:35 <DIR> d-------- C:\FAX
2008-11-12 13:02 . 2008-11-12 13:02 <DIR> d-------- C:\Program Files\iPassion
2008-11-12 13:02 . 2008-01-23 18:41 86,016 --a------ C:\WINDOWS\iPScan.exe
2008-11-12 13:02 . 2008-01-25 09:26 53,248 --a------ C:\WINDOWS\iPInst.dll
2008-11-12 13:01 . 2008-11-12 13:01 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\InstallShield
2008-11-12 13:00 . 2008-11-12 13:00 <DIR> d-------- C:\Program Files\MSI
2008-11-12 12:50 . 2008-01-28 10:06 241,920 --a------ C:\WINDOWS\system32\drivers\iP293x.SYS
2008-11-12 12:50 . 2007-10-31 10:36 225,280 --a------ C:\WINDOWS\iPTwain.exe
2008-11-12 12:50 . 2007-08-02 14:38 65,536 --a------ C:\WINDOWS\system32\iPCamLib.Dll
2008-11-12 12:50 . 2008-01-04 18:45 57,344 --a------ C:\WINDOWS\iPPage.AX
2008-11-12 12:50 . 2007-12-03 10:16 40,960 --a------ C:\WINDOWS\iPSti.exe
2008-11-12 12:50 . 2007-10-31 00:33 28,672 --a------ C:\WINDOWS\vidcap.ax
2008-11-12 12:50 . 2007-10-31 00:33 20,992 --a------ C:\WINDOWS\dshowext.ax
2008-11-12 12:47 . 2007-10-30 18:46 60,032 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-11-12 12:47 . 2007-10-30 18:46 60,032 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-11-10 21:36 . 2006-09-18 14:59 90,800 -ra------ C:\WINDOWS\system32\drivers\se27unic.sys
2008-11-10 21:36 . 2006-09-18 14:58 88,688 -ra------ C:\WINDOWS\system32\drivers\SE27mgmt.sys
2008-11-10 21:36 . 2006-09-18 14:59 86,560 -ra------ C:\WINDOWS\system32\drivers\SE27obex.sys
2008-11-10 21:36 . 2006-09-18 14:59 18,704 -ra------ C:\WINDOWS\system32\drivers\se27nd5.sys
2008-11-10 21:36 . 2006-09-18 14:58 4,128 -ra------ C:\WINDOWS\system32\drivers\se27cr.sys
2008-11-10 21:32 . 2008-11-14 21:15 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\Teleca
2008-11-10 21:02 . 2008-11-10 21:02 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\Sony Ericsson
2008-11-10 20:57 . 2008-11-10 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-11-10 20:56 . 2008-11-10 20:56 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-11-10 20:56 . 2008-11-10 20:56 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-11-08 21:58 . 2008-11-08 21:58 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\Thunderbird
2008-11-08 21:57 . 2008-11-08 21:57 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-11-05 20:13 . 2007-10-31 00:31 562,176 --a------ C:\WINDOWS\system32\fxsst.dll
2008-11-05 20:12 . 2007-10-31 00:31 397,312 --a------ C:\WINDOWS\system32\fxstiff.dll
2008-11-05 20:11 . 2008-11-05 20:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-11-05 20:08 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002544_.tmp
2008-11-05 17:04 . 1997-03-16 18:31 105,600 --a------ C:\WINDOWS\YUERIFE.FON
2008-11-05 17:04 . 1996-04-27 10:32 89,620 --a------ C:\WINDOWS\MD1.BMP
2008-11-05 17:04 . 1996-04-27 10:14 88,324 --a------ C:\WINDOWS\MD3.BMP
2008-11-05 17:04 . 1996-04-27 10:06 84,612 --a------ C:\WINDOWS\MD2.BMP
2008-11-05 17:04 . 2008-11-05 17:04 0 --a------ C:\WINDOWS\MD4.BMP
2008-11-04 21:09 . 2008-04-14 06:34 480,367 -ra------ C:\txtsetup.sif
2008-11-04 21:09 . 2008-04-13 23:02 260,288 -ra------ C:\$LDR$
2008-11-04 20:46 . 2008-11-04 20:46 <DIR> d-------- C:\Documents and Settings\Stefan\Application Data\Thinstall
2008-11-04 20:38 . 2008-11-04 20:39 287,976 --a------ C:\cc_20081104_203843.reg
2008-11-03 20:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-11-03 20:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-11-03 20:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-11-01 13:09 . 2008-11-01 13:09 <DIR> d-------- C:\Program Files\The Weather Channel FW
2008-10-28 22:39 . 2008-10-28 22:40 <DIR> d-------- C:\Program Files\HotPotatoes6
2008-10-28 22:32 . 2008-10-28 22:39 <DIR> d-------- C:\Program Files\RapidTyping
2008-10-27 11:58 . 2008-10-27 11:58 <DIR> d-------- C:\Program Files\Uniblue
2008-10-26 20:48 . 2008-10-27 11:57 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-10-26 19:59 . 2008-10-27 11:57 <DIR> d-------- C:\Program Files\Uniblue(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 18:18 --------- d-----w C:\Program Files\MSN Messenger
2008-11-18 18:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-11-13 16:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-10-28 22:07 --------- d-----w C:\Documents and Settings\Stefan\Application Data\Free Download Manager
2008-10-28 21:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-27 10:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w C:\Documents and Settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-10-23 08:52 --------- d-----w C:\Documents and Settings\Stefan\Application Data\Uniblue
2008-10-19 21:05 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-10-19 21:05 --------- d-----w C:\Program Files\Windows Live
2008-10-19 20:55 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-19 20:55 --------- d-----w C:\Program Files\CCleaner
2008-10-19 16:58 --------- d-----w C:\Program Files\Virtual Dub 1.8.6
2008-10-18 16:49 --------- d-----w C:\Program Files\KGB Archiver
2008-10-18 11:14 --------- d-----w C:\Program Files\Common Files\Ahead
2008-10-18 11:13 --------- d-----w C:\Program Files\Nero
2008-10-18 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-10-15 18:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-14 18:34 --------- d-----w C:\Program Files\Ahead
2008-10-13 21:06 --------- d-----w C:\Program Files\%temp&
2008-10-12 12:11 --------- d-----w C:\Documents and Settings\Stefan\Application Data\zweitgeist
2008-10-12 12:05 --------- d-----w C:\Documents and Settings\Stefan\Application Data\Ahead
2008-10-12 11:40 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys
2008-10-12 11:40 --------- d-----w C:\Program Files\DAEMON Tools
2008-10-04 14:21 --------- d-----w C:\Program Files\PopCap Games
2008-10-04 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap Games
2008-10-04 13:44 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-10-04 13:41 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-04 13:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-10-04 13:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-04 13:15 --------- d-----w C:\Program Files\VideoLAN
2008-10-04 13:12 --------- d-----w C:\Documents and Settings\Stefan\Application Data\vlc
2008-10-04 12:23 --------- d-----w C:\Program Files\ESET
2008-10-03 18:38 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-02 20:37 --------- d-----w C:\Documents and Settings\Stefan\Application Data\Malwarebytes
2008-10-02 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-02 19:52 --------- d-----w C:\Program Files\ICQToolbar
2008-10-02 08:51 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-09-11 12:55 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-08-04 12:42 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-07-14 16:01 81,920 ----a-w C:\Documents and Settings\Stefan\Application Data\ezpinst.exe
2008-07-14 16:01 47,360 ----a-w C:\Documents and Settings\Stefan\Application Data\pcouffin.sys
2003-03-21 12:45 250,544 ----a-w C:\Program Files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-31 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 C:\WINDOWS\AGRSMMSG.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-28 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.vcr1"= ativcr1.dll
"vidc.vcr2"= ativcr2.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau C:\WINDOWS\system32\urqOGaBT

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 C:\WINDOWS\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 C:\WINDOWS\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 C:\WINDOWS\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 C:\WINDOWS\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 C:\WINDOWS\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2007-10-31 14336]
R3 DCamUSBTP10;StarCam mini+;C:\WINDOWS\system32\Drivers\iP293x.sys [2008-01-28 241920]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-09 38528]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 RTSTOR;USB Mass Stroage Device;C:\WINDOWS\system32\drivers\RTSTOR.SYS [2007-09-18 44032]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-03-28 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-04 306432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98fbfdee-51f7-11dd-b7bc-0015af99d8cd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com k:
\Shell\Open\command - L:\resycled\boot.com k:

*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]

2008-11-24 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]

2008-11-24 C:\WINDOWS\Tasks\rjrrfpyy.job
- C:\WINDOWS\system32\rundll32.exe [2007-10-31 00:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AFAF8314-45C9-4EC5-9317-A9C24E01D0AC} - (no file)
BHO-{FD70B2B4-AB25-429E-956A-B83A67243900} - (no file)
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
ShellExecuteHooks-{AFAF8314-45C9-4EC5-9317-A9C24E01D0AC} - (no file)
Notify-byXOghFY - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.rs
FF -: plugin - C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-24 21:28:17
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wingdm32.dll
.
Completion time: 2008-11-24 21:29:53
ComboFix-quarantined-files.txt 2008-11-24 20:29:51
ComboFix2.txt 2008-10-05 11:21:57

Pre-Run: 20.445.622.272 bytes free
Post-Run: 20,472,745,984 bytes free

322 --- E O F --- 2008-11-17 17:32:29

Piksi · Elitni građanin

Puštao si i MBAM?
Okači mi i njegov log...

stefannn · Građanin

MBAM Log:

Malwarebytes' Anti-Malware 1.28
Verzija baze podataka: 1266
Windows 5.1.2600 Service Pack 3, v.3244

24.11.2008 21:56:15
mbam-log-2008-11-24 (21-56-15).txt

Tip skeniranja: Brzo Skeniranje
Skeniranih objekata: 48766
Proteklo vreme: 3 minute(s), 3 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 0
Inficirani kljuèevi u registru: 1
Inficirane vrednosti u registru: 0
Inficirani podaci u registru: 0
Inficirane fascikle: 0
Inficirane datoteke: 1

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani kljuèevi u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Inficirane vrednosti u registru:
(Maliciozne stavke nisu detektovane)

Inficirani podaci u registru:
(Maliciozne stavke nisu detektovane)

Inficirane fascikle:
(Maliciozne stavke nisu detektovane)

Inficirane datoteke:
C:\WINDOWS\system32\wingdm32.dll (Dialer) -> Delete on reboot.

----------- Dopuna: 24 Nov 2008 22:31 ---------

Evo log-a sa kompletnim skeniranjem:
Malwarebytes' Anti-Malware 1.28
Verzija baze podataka: 1266
Windows 5.1.2600 Service Pack 3, v.3244

24.11.2008 22:27:28
mbam-log-2008-11-24 (22-27-2 Cool

.txt

Tip skeniranja: Kompletno Skeniranje (C:\|D:\|E:\|F:\|J:\

Skeniranih objekata: 93885
Proteklo vreme: 24 minute(s), 58 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 0
Inficirani kljuèevi u registru: 1
Inficirane vrednosti u registru: 0
Inficirani podaci u registru: 0
Inficirane fascikle: 0
Inficirane datoteke: 1

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani kljuèevi u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Inficirane vrednosti u registru:
(Maliciozne stavke nisu detektovane)

Inficirani podaci u registru:
(Maliciozne stavke nisu detektovane)

Inficirane fascikle:
(Maliciozne stavke nisu detektovane)

Inficirane datoteke:
C:\WINDOWS\system32\wingdm32.dll (Dialer) -> Delete on reboot.

Piksi · Elitni građanin

Verzija ComboFix-a je stara. Preuzmi svež ComboFix i postavi mi novi log.
Takođe, vidi se da si pokretao ComboFix više puta. Možeš li da priložiš i te stare logove?

stefannn · Građanin

Sutra ću postaviti starije logove i log od novijeg CFix-a.

Piksi · Elitni građanin

U redu... Ja ću to moći da pogledam tek uveče, pošto imam dosta obaveza na fax-u... Wink

stefannn · Građanin

Evo log-a sa novog CFixa-a:
ComboFix 08-11-24.03 - Stefan 2008-11-25 14:20:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.458 [GMT 1:00]
Running from: d:\stef4n\za malware\ComboFix\ComboFix.exe
* Created a new restore point
* Resident AV is active

.
/wow section - STAGE 41

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lphxitbg.ini
c:\windows\system32\TBaGOqru.ini
c:\windows\system32\TBaGOqru.ini2
c:\windows\Tasks\rjrrfpyy.job
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com
F:\resycled
f:\resycled\boot.com
J:\autorun.inf
J:\resycled
j:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-22 12:29 . 2008-11-23 20:45 <DIR> d-------- c:\program files\mIRC
2008-11-22 12:29 . 2008-11-23 21:57 <DIR> d-------- c:\documents and settings\Stefan\Application Data\mIRC
2008-11-18 19:03 . 2005-05-02 05:10 68,096 --a------ c:\windows\system32\agrsmdel.exe
2008-11-18 19:01 . 2008-11-18 19:03 <DIR> d-------- c:\windows\Options
2008-11-18 19:01 . 2006-04-19 16:50 788,224 --a------ c:\windows\system32\drivers\BisonCam.sys
2008-11-18 19:01 . 2005-01-14 13:47 180,224 --a------ c:\windows\system\StillDrv.dll
2008-11-18 19:01 . 2006-03-07 16:26 126,976 --a------ c:\windows\system\BisonCam.dll
2008-11-18 19:01 . 2006-03-07 16:26 90,112 --a------ c:\windows\system\BisonVfw.dll
2008-11-18 19:01 . 2006-03-02 14:41 77,942 --a------ c:\windows\system32\BisonRem.dll
2008-11-18 19:01 . 2003-09-22 13:49 15,190 --a------ c:\windows\M2000Twn.ini
2008-11-18 19:01 . 2003-09-22 14:36 13,448 --a------ c:\windows\M2000Twn.src
2008-11-18 19:01 . 2005-12-05 12:08 2,264 --a------ c:\windows\system\S20H0220.csr
2008-11-18 19:01 . 2005-12-05 12:08 2,264 --a------ c:\windows\system\S20F0220.csr
2008-11-17 20:36 . 2007-08-02 22:09 5,624,832 --a------ c:\windows\system\DriveIcon.dll
2008-11-17 20:36 . 2007-09-18 15:08 44,032 --a------ c:\windows\system32\drivers\RTSTOR.sys
2008-11-17 20:36 . 2007-09-27 15:12 38,660 --a------ c:\windows\system\sd.ico
2008-11-17 20:36 . 2007-09-27 15:04 37,300 --a------ c:\windows\system\cf.ico
2008-11-17 20:36 . 2007-09-27 15:17 37,041 --a------ c:\windows\system\sm.ico
2008-11-17 20:36 . 2007-09-27 15:32 34,530 --a------ c:\windows\system\ms.ico
2008-11-17 20:36 . 2004-06-30 16:24 5,430 --a------ c:\windows\system\MyMulti.ico
2008-11-16 19:58 . 2005-04-25 10:43 159,616 --a------ c:\windows\system32\drivers\Vax347b.sys
2008-11-16 19:58 . 2004-04-30 09:33 5,248 --a------ c:\windows\system32\drivers\Vax347s.sys
2008-11-16 19:57 . 2008-11-16 19:57 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-15 19:08 . 2008-11-15 19:08 <DIR> d-------- c:\program files\YouTube Downloader
2008-11-14 18:57 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-11-13 16:35 . 2008-11-13 16:35 <DIR> d-------- C:\FAX
2008-11-13 16:34 . 2008-11-13 16:34 <DIR> d-------- c:\windows\system32\FxsTmp
2008-11-13 16:34 . 2001-08-23 11:00 132,608 --a------ c:\windows\system32\fxsclntR.dll
2008-11-13 16:34 . 2001-08-23 11:00 132,608 --a--c--- c:\windows\system32\dllcache\fxsclntr.dll
2008-11-13 16:34 . 2001-08-23 11:00 111,104 --a------ c:\windows\system32\fxscfgwz.dll
2008-11-13 16:34 . 2001-08-23 11:00 111,104 --a--c--- c:\windows\system32\dllcache\fxscfgwz.dll
2008-11-13 16:34 . 2001-08-23 11:00 31,744 --a------ c:\windows\system32\fxsroute.dll
2008-11-13 16:34 . 2001-08-23 11:00 31,744 --a--c--- c:\windows\system32\dllcache\fxsroute.dll
2008-11-13 16:34 . 2001-08-23 11:00 11,264 --a------ c:\windows\system32\fxssend.exe
2008-11-13 16:34 . 2001-08-23 11:00 11,264 --a--c--- c:\windows\system32\dllcache\fxssend.exe
2008-11-13 16:34 . 2001-08-23 11:00 1,793 --a------ c:\windows\system32\fxsperf.ini
2008-11-13 16:34 . 2001-08-23 11:00 1,361 --a------ c:\windows\system32\fxscount.h
2008-11-13 16:34 . 2008-11-13 16:34 535 --a------ c:\windows\system32\mapisvc.inf
2008-11-12 13:02 . 2008-11-12 13:02 <DIR> d-------- c:\program files\iPassion
2008-11-12 13:02 . 2008-01-23 18:41 86,016 --a------ c:\windows\iPScan.exe
2008-11-12 13:02 . 2008-01-25 09:26 53,248 --a------ c:\windows\iPInst.dll
2008-11-12 13:01 . 2008-11-12 13:01 <DIR> d-------- c:\documents and settings\Stefan\Application Data\InstallShield
2008-11-12 13:00 . 2008-11-12 13:00 <DIR> d-------- c:\program files\MSI
2008-11-12 12:50 . 2008-01-28 10:06 241,920 --a------ c:\windows\system32\drivers\iP293x.SYS
2008-11-12 12:50 . 2007-10-31 10:36 225,280 --a------ c:\windows\iPTwain.exe
2008-11-12 12:50 . 2007-08-02 14:38 65,536 --a------ c:\windows\system32\iPCamLib.Dll
2008-11-12 12:50 . 2008-01-04 18:45 57,344 --a------ c:\windows\iPPage.AX
2008-11-12 12:50 . 2007-12-03 10:16 40,960 --a------ c:\windows\iPSti.exe
2008-11-12 12:50 . 2007-10-31 00:33 28,672 --a------ c:\windows\vidcap.ax
2008-11-12 12:50 . 2007-10-31 00:33 20,992 --a------ c:\windows\dshowext.ax
2008-11-12 12:47 . 2007-10-30 18:46 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-11-12 12:47 . 2007-10-30 18:46 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-11-10 21:36 . 2006-09-18 14:59 90,800 -ra------ c:\windows\system32\drivers\se27unic.sys
2008-11-10 21:36 . 2006-09-18 14:58 88,688 -ra------ c:\windows\system32\drivers\SE27mgmt.sys
2008-11-10 21:36 . 2006-09-18 14:59 86,560 -ra------ c:\windows\system32\drivers\SE27obex.sys
2008-11-10 21:36 . 2006-09-18 14:59 18,704 -ra------ c:\windows\system32\drivers\se27nd5.sys
2008-11-10 21:36 . 2006-09-18 14:58 4,128 -ra------ c:\windows\system32\drivers\se27cr.sys
2008-11-10 21:32 . 2008-11-14 21:15 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Teleca
2008-11-10 21:02 . 2008-11-10 21:02 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Sony Ericsson
2008-11-10 20:57 . 2008-11-10 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-10 20:56 . 2008-11-10 20:56 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-10 20:56 . 2008-11-10 20:56 <DIR> d-------- c:\program files\Sony Ericsson
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- c:\program files\Common Files\Teleca Shared
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- c:\program files\Common Files\Sony Ericsson Shared
2008-11-10 20:56 . 2008-11-10 20:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Teleca
2008-11-08 21:58 . 2008-11-08 21:58 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Thunderbird
2008-11-08 21:57 . 2008-11-08 21:57 <DIR> d-------- c:\program files\Mozilla Thunderbird
2008-11-05 20:13 . 2007-10-31 00:31 562,176 --a------ c:\windows\system32\fxsst.dll
2008-11-05 20:12 . 2007-10-31 00:31 397,312 --a------ c:\windows\system32\fxstiff.dll
2008-11-05 20:11 . 2008-11-05 20:11 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-05 20:08 . 2006-12-29 00:31 19,569 --a------ c:\windows\002544_.tmp
2008-11-05 17:04 . 1997-03-16 18:31 105,600 --a------ c:\windows\YUERIFE.FON
2008-11-05 17:04 . 1996-04-27 10:32 89,620 --a------ c:\windows\MD1.BMP
2008-11-05 17:04 . 1996-04-27 10:14 88,324 --a------ c:\windows\MD3.BMP
2008-11-05 17:04 . 1996-04-27 10:06 84,612 --a------ c:\windows\MD2.BMP
2008-11-05 17:04 . 2008-11-05 17:04 0 --a------ c:\windows\MD4.BMP
2008-11-04 21:09 . 2008-04-14 06:34 480,367 -ra------ C:\txtsetup.sif
2008-11-04 21:09 . 2008-04-13 23:02 260,288 -ra------ C:\$LDR$
2008-11-04 20:46 . 2008-11-04 20:46 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Thinstall
2008-11-04 20:38 . 2008-11-04 20:39 287,976 --a------ C:\cc_20081104_203843.reg
2008-11-03 20:13 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-11-03 20:13 . 2007-07-30 19:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-11-03 20:13 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-01 13:09 . 2008-11-01 13:09 <DIR> d-------- c:\program files\The Weather Channel FW
2008-10-28 22:39 . 2008-10-28 22:40 <DIR> d-------- c:\program files\HotPotatoes6
2008-10-28 22:32 . 2008-10-28 22:39 <DIR> d-------- c:\program files\RapidTyping
2008-10-27 11:58 . 2008-10-27 11:58 <DIR> d-------- c:\program files\Uniblue
2008-10-26 20:48 . 2008-10-27 11:57 <DIR> d---s---- c:\documents and settings\Administrator
2008-10-26 19:59 . 2008-10-27 11:57 <DIR> d-------- c:\program files\Uniblue(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 20:44 --------- d-----w c:\program files\MSN Messenger
2008-11-24 16:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 18:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-13 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-28 22:07 --------- d-----w c:\documents and settings\Stefan\Application Data\Free Download Manager
2008-10-28 21:42 --------- d-----w c:\program files\Common Files\Adobe
2008-10-27 10:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-23 08:52 --------- d-----w c:\documents and settings\Stefan\Application Data\Uniblue
2008-10-19 21:05 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-19 21:05 --------- d-----w c:\program files\Windows Live
2008-10-19 20:55 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-19 20:55 --------- d-----w c:\program files\CCleaner
2008-10-19 16:58 --------- d-----w c:\program files\Virtual Dub 1.8.6
2008-10-18 16:49 --------- d-----w c:\program files\KGB Archiver
2008-10-18 11:14 --------- d-----w c:\program files\Common Files\Ahead
2008-10-18 11:13 --------- d-----w c:\program files\Nero
2008-10-18 11:01 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-15 18:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-14 18:34 --------- d-----w c:\program files\Ahead
2008-10-13 21:06 --------- d-----w c:\program files\%temp&
2008-10-12 12:11 --------- d-----w c:\documents and settings\Stefan\Application Data\zweitgeist
2008-10-12 12:05 --------- d-----w c:\documents and settings\Stefan\Application Data\Ahead
2008-10-12 11:40 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-10-12 11:40 --------- d-----w c:\program files\DAEMON Tools
2008-10-04 14:21 --------- d-----w c:\program files\PopCap Games
2008-10-04 13:54 --------- d-----w c:\documents and settings\All Users\Application Data\PopCap Games
2008-10-04 13:44 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-10-04 13:41 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-10-04 13:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-04 13:15 --------- d-----w c:\program files\VideoLAN
2008-10-04 13:12 --------- d-----w c:\documents and settings\Stefan\Application Data\vlc
2008-10-04 12:23 --------- d-----w c:\program files\ESET
2008-10-03 18:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-02 20:37 --------- d-----w c:\documents and settings\Stefan\Application Data\Malwarebytes
2008-10-02 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-02 19:52 --------- d-----w c:\program files\ICQToolbar
2008-10-02 08:51 --------- d-----w c:\program files\Common Files\SWF Studio
2008-09-11 12:55 315,392 ----a-w c:\windows\HideWin.exe
2008-08-04 12:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-07-14 16:01 81,920 ----a-w c:\documents and settings\Stefan\Application Data\ezpinst.exe
2008-07-14 16:01 47,360 ----a-w c:\documents and settings\Stefan\Application Data\pcouffin.sys
2003-03-21 12:45 250,544 ----a-w c:\program files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((( snapshot@2008-11-24_21.29.31.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
- 2008-11-05 19:22:17 29,926 ----a-r c:\windows\Installer\{C13A4354-1DB6-4965-A250-20781E1FA9B2}\MsblIco.Exe
+ 2008-11-24 20:45:03 29,926 ----a-r c:\windows\Installer\{C13A4354-1DB6-4965-A250-20781E1FA9B2}\MsblIco.Exe
- 2007-07-30 17:19:20 92,504 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 13:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 13:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 13:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 13:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 13:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 13:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 13:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 13:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 13:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 13:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-07-30 17:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 13:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-30 17:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 13:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-30 17:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 13:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-30 17:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 13:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-30 17:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 13:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2007-07-30 17:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 13:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2007-07-30 17:19:28 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 13:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-10-31 15360]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Google Update"="c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-28 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 c:\windows\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 c:\windows\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 c:\windows\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-14 45848]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe -k netsvcs [2004-08-03 14336]
R3 DCamUSBTP10;StarCam mini+;c:\windows\system32\Drivers\iP293x.sys [2008-11-12 241920]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 RTSTOR;USB Mass Stroage Device;c:\windows\system32\drivers\RTSTOR.SYS [2008-11-17 44032]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-23 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-10-04 306432]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]
S4 LMIRfsClientNP;LMIRfsClientNP; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98fbfdee-51f7-11dd-b7bc-0015af99d8cd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com k:
\Shell\Open\command - l:\resycled\boot.com k:
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]

2008-11-24 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]
.
- - - - ORPHANS REMOVED - - - -

Notify-wingdm32 - wingdm32.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.rs
FF -: plugin - c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 14:25:44
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1316)
c:\windows\system32\athgina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-11-25 14:28:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 13:28:19
ComboFix2.txt 2008-11-24 20:29:55
ComboFix3.txt 2008-10-05 11:21:57

Pre-Run: 20.409.868.288 bytes free
Post-Run: 20,354,236,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=

389 --- E O F --- 2008-11-17 17:32:29

Piksi · Elitni građanin

Postavljeni logovi su čisti, ali vidim da imaš neki inficirani USB stick...

---------------------------------------------

Skini sledeci program - http://amf.mycity.co.yu/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

stefannn · Građanin

USB_blocker by bobby

Started at 26.11.2008 18:39:25

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C: 279bcd1c-51f4-11dd-b1a4-806d6172696f
D: 279bcd1d-51f4-11dd-b1a4-806d6172696f
E: 279bcd1e-51f4-11dd-b1a4-806d6172696f
F: 279bcd1f-51f4-11dd-b1a4-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================

New device connected at 26.11.2008 18:40:12

Scanning for connected USB Mass storage...
========================================
J: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================

Piksi · Elitni građanin

Stick koji si skenirao u ovom procesu NIJE inficiran.
Dakle, inficiran je neki drugi stick koji je bio priključivan na tvoj računar.

Skini ovaj fajl, pokreni ga dvoklikom i prihvati sa Yes.

Na kraju, reci mi kakvo je sada stanje.

stefannn · Građanin

Ja sam do sad na USB port priključivao:USB Flash Stick,Web Camera,BearPaw Scanner,Optical mouse,Phone(k800i),Memory card(m2)-u telefonu.

A meni je telefon zaražen virusom,morao sam da ga nosim u servis.Da li bi telefon mogao da bude zaražen drive?

Piksi · Elitni građanin

Naravno da može...
Srećom, možemo i njega da sredimo. Samo detaljno isprati uputstvo iz ovog posta...

----------- Dopuna: 27 Nov 2008 16:33 ---------

Hmm, nisam razumeo...
Telefon je sada OK (nakon servisa), ili... ?

stefannn · Građanin

Nisam ga nosio u servis.Nesto sam pokusavao i uspeo sam da ga nekako sredim.Okacicu log veceras,ako ne onda sutra poslepodne.

Piksi · Elitni građanin

U redu. Okači log kada budeš stigao, a ja ću svakako moći da ga pogledam tek sutra posle 13h... Wink

Vesti

Provera HT loga