Molim za proveru loga

1

Molim za proveru loga

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Pozdrav. Prvo bih se zahvalio svima koji pomazu na ovom forumu! Ako neko moze da mi proveri moj log. Nemam ocigledne znakove virusa na kompu, ali imam zarazen USB - ide na univerzitetsku mrezu, tako da... Avira detektuje virus na flashu, ja ga brisem i tako u krug. Kako mogu da ocistim flash? Sto se tice kompa, zanima me da li je i on zarazen (jedan ortak mi kaze da NOD prepoznaje kalendar koji ja koristim - Rainlendar, kao Trojanca i SpyWare...) tako da ako mozete evo pogledajte log i recite mi da li ima Malware-a. Verujem da ima Sad Unapred hvala.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:27 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Aston\aston.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
D:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\svchost.exe
D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe
C:\totalcmd\TOTALCMD.EXE
D:\Program Files\Comodo\COMODO Internet Security\cfpupdat.exe
C:\WINDOWS\explorer.exe
C:\program files\WINAMP\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\download\sve\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = rol.raiffeisenbank.rs/Retail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - D:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - D:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 10969 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.



-------------------------------------------------------------------------------------




Arrow Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Log ComboFix-a:

ComboFix 09-05-12.06 - Zeljko 05/13/2009 22:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1490 [GMT 2:00]
Running from: d:\download\sve\Ambulanta\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-13 16:27 . 2009-05-13 16:28 -------- d-----w C:\USBNoRisk
2009-05-10 08:36 . 2009-05-10 10:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\Ventrilo
2009-05-10 08:35 . 2009-05-10 08:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 20:02 . 2009-05-05 20:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\teamspeak2
2009-04-21 14:11 . 2009-04-21 14:55 77588 ----a-w c:\windows\War3Unin.dat
2009-04-21 14:11 . 2009-04-21 14:18 2829 ----a-w c:\windows\War3Unin.pif
2009-04-21 14:11 . 2009-04-21 14:18 139264 ----a-w c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 21:00 . 2008-12-12 11:37 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-05-13 16:28 . 2008-10-22 15:41 -------- d-----w c:\program files\Winamp
2009-05-09 07:02 . 2008-12-12 11:38 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-22 08:31 . 2008-08-09 09:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 10:36 . 2008-08-13 12:42 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-20 10:36 . 2008-08-13 12:42 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-20 10:36 . 2008-08-13 12:42 12067 ----atw c:\windows\system32\SIntf16.dll
2009-03-28 07:54 . 2009-03-28 07:54 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-01 07:54 . 2008-08-09 09:43 72352 ----a-w c:\documents and settings\Zeljko\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 00:25 . 2009-03-01 00:25 191200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-26 21:28 . 2008-08-12 17:49 17410080 --sha-w c:\windows\system32\drivers\fidbox.dat
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-12-01 14:02 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-12-01 14:02 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"Google Update"="c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2008-12-01 1796856]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-16 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Zeljko\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-7 692224]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18589:TCP"= 18589:TCP:BitComet 18589 TCP
"18589:UDP"= 18589:UDP:BitComet 18589 UDP

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/1/2008 3:23 PM 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/1/2008 3:23 PM 31504]
R2 OracleServiceXE;OracleServiceXE;d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;d:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 1:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43dbe031-fc1c-11dd-8a62-001d7d5242bf}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - rundll32.exe .\\hbdhe.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2ee3169-6933-11dd-b433-001d7d5242bf}]
\Shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15dfd9e-253b-11de-8aa2-001d7d5242bf}]
\Shell\AutoRun\command - 80avp08.com
\Shell\explore\Command - 80avp08.com
\Shell\open\Command - 80avp08.com
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1614895754-682003330-1003.job
- c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-06 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = rol.raiffeisenbank.rs/Retail
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: raiffeisenbank.rs\rol
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
FF - ProfilePath - c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\
FF - component: c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-13 23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Zeljko\LOCALS~1\Temp\RGI7.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948-)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(7876)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\program files\Logitech\SetPoint\GameHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
d:\program files\Comodo\COMODO Internet Security\cmdagent.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wdfmgr.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\MSN Messenger\usnsvc.exe
d:\program files\Comodo\COMODO Internet Security\cfpupdat.exe
.
**************************************************************************
.
Completion time: 2009-05-13 23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 21:08

Pre-Run: 6,522,912,768 bytes free
Post-Run: 7,274,528,768 bytes free

195 --- E O F --- 2008-11-12 19:28





Log sa USBNoRisk-a:


USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/13/2009 6:26:28 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on I:
autorun.inf found on I:
----------------------------------------
File I:\autorun.inf renamed successfully

Content of I:\autorun.inf.blocked
----------------------------------------
[autorun]
open=SYSTEM\FILES\ARMY.exe
;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘Ά

;This is Mainly Used by Driver Utility Dont Remove This File.
action=Open folder to view files
shell\open=Open
shell\open\command=SYSTEM\FILES\ARMY.exe
shell\open\default=1
----------------------------------------

Files referenced from I:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Sanitized mountpoint for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Upakuj u jedan zip/rar kompletan folder: C:\qoobox i uploaduj tu arhivu.

Upload link: http://www.mycity.rs/ambulanta-upload.php





Arrow Otvoriti Notepad i iskopirati sledeci tekst:


FileLook::
c:\windows\TEMP\logishrd\LVPrcInj01.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43dbe031-fc1c-11dd-8a62-001d7d5242bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15dfd9e-253b-11de-8aa2-001d7d5242bf}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Uploadovano!

Evo ide i log iz ComboFix-a:



ComboFix 09-05-12.06 - Zeljko 05/14/2009 11:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1315 [GMT 2:00]
Running from: c:\documents and settings\Zeljko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zeljko\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-14 01:03 . 2009-05-14 01:03 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-13 16:27 . 2009-05-13 16:28 -------- d-----w C:\USBNoRisk
2009-05-10 08:36 . 2009-05-10 10:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\Ventrilo
2009-05-10 08:35 . 2009-05-10 08:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 20:02 . 2009-05-05 20:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\teamspeak2
2009-04-21 14:11 . 2009-04-21 14:55 77588 ----a-w c:\windows\War3Unin.dat
2009-04-21 14:11 . 2009-04-21 14:18 2829 ----a-w c:\windows\War3Unin.pif
2009-04-21 14:11 . 2009-04-21 14:18 139264 ----a-w c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 09:37 . 2008-12-12 11:38 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-14 09:37 . 2008-12-12 11:37 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-05-14 07:32 . 2009-03-01 00:30 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-14 01:00 . 2008-11-30 21:36 -------- d-----w c:\program files\Microsoft Virtual PC
2009-05-13 16:28 . 2008-10-22 15:41 -------- d-----w c:\program files\Winamp
2009-04-22 08:31 . 2008-08-09 09:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 10:36 . 2008-08-13 12:42 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-20 10:36 . 2008-08-13 12:42 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-20 10:36 . 2008-08-13 12:42 12067 ----atw c:\windows\system32\SIntf16.dll
2009-03-28 07:54 . 2009-03-28 07:54 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-06 14:44 . 2004-08-03 22:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-03 22:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 07:54 . 2008-08-09 09:43 72352 ----a-w c:\documents and settings\Zeljko\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 00:25 . 2009-03-01 00:25 191200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-20 18:09 . 2004-08-03 22:56 78336 ----a-w c:\windows\system32\ieencode.dll
2008-11-26 21:28 . 2008-08-12 17:49 17410080 --sha-w c:\windows\system32\drivers\fidbox.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\TEMP\logishrd\LVPrcInj01.dll ----
Company: Logitech Inc.
File Description: Camera Helper Library.
File Version: 11.90.1262.0
Product Name: Logitech QuickCam
Copyright: (c) 1996-2008 Logitech. All rights reserved.
Original file name: LVPrcInj.dll
File Size: 109080
Created Time: 2009-05-14 07:37
Modified Time: 2008-12-16 20:59
Accessed Time: 2009-05-14 08:38
MD5: D20DA789C445936988C8B83F53522374
SHA: B5351671E30A0444F40D1DA184699045E6A823BC


((((((((((((((((((((((((((((( SnapShot@2009-05-13_21.02.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-14 09:39 . 2009-05-14 09:39 16384 c:\windows\Temp\Perflib_Perfdata_f8c.dat
+ 2009-05-14 09:38 . 2009-05-14 09:38 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
- 2004-08-03 22:56 . 2004-08-03 22:56 50176 c:\windows\system32\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 50176 c:\windows\system32\utilman.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 35840 c:\windows\system32\umandlg.dll
+ 2004-08-03 22:56 . 2006-10-04 13:33 35840 c:\windows\system32\umandlg.dll
+ 2008-07-14 11:09 . 2008-10-22 09:47 62976 c:\windows\system32\tzchange.exe
- 2008-07-14 11:09 . 2008-07-14 11:09 62976 c:\windows\system32\tzchange.exe
+ 2008-08-09 09:42 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2008-08-09 09:42 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-03 22:56 . 2009-02-03 20:08 55808 c:\windows\system32\secur32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 55808 c:\windows\system32\secur32.dll
+ 2001-08-23 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-03 22:56 . 2007-08-13 17:36 44544 c:\windows\system32\pngfilt.dll
- 2001-08-23 11:00 . 2009-03-29 08:53 79854 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-05-14 07:42 79854 c:\windows\system32\perfc009.dat
- 2004-08-03 22:56 . 2004-08-03 22:56 53760 c:\windows\system32\narrator.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 53760 c:\windows\system32\narrator.exe
+ 2008-08-09 09:06 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-03 22:56 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 66560 c:\windows\system32\mtxclu.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll
- 2008-08-09 09:06 . 2004-08-03 22:56 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-03 22:56 . 2006-10-04 08:48 72704 c:\windows\system32\magnify.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 72704 c:\windows\system32\magnify.exe
- 2004-08-03 22:56 . 2005-01-28 11:44 96768 c:\windows\system32\logagent.exe
+ 2004-08-03 22:56 . 2008-06-10 03:52 96768 c:\windows\system32\logagent.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-13 17:39 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-03 22:56 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 17:36 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 50176 c:\windows\system32\dllcache\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 50176 c:\windows\system32\dllcache\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 13:33 35840 c:\windows\system32\dllcache\umandlg.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 35840 c:\windows\system32\dllcache\umandlg.dll
+ 2004-08-03 22:56 . 2009-02-03 20:08 55808 c:\windows\system32\dllcache\secur32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 55808 c:\windows\system32\dllcache\secur32.dll
+ 2001-08-23 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe
- 2004-08-03 22:56 . 2007-08-13 17:36 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 53760 c:\windows\system32\dllcache\narrator.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 53760 c:\windows\system32\dllcache\narrator.exe
+ 2008-08-09 09:06 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2004-08-03 22:56 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2008-08-09 09:06 . 2004-08-03 22:56 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2004-08-03 22:56 . 2006-10-04 08:48 72704 c:\windows\system32\dllcache\magnify.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 72704 c:\windows\system32\dllcache\magnify.exe
+ 2004-08-03 22:56 . 2008-06-10 03:52 96768 c:\windows\system32\dllcache\logagent.exe
- 2004-08-03 22:56 . 2005-01-28 11:44 96768 c:\windows\system32\dllcache\logagent.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-02-20 10:20 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-03 22:56 . 2007-08-13 17:45 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-03 22:56 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-02-20 18:09 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-08-09 09:06 . 2005-07-26 04:39 60416 c:\windows\system32\dllcache\colbact.dll
+ 2008-08-09 09:06 . 2005-07-26 04:39 60416 c:\windows\system32\colbact.dll
+ 2008-11-27 11:34 . 2009-05-14 01:02 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-14 01:03 . 2007-08-13 17:36 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 50688 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 27136 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 13312 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-05-14 01:03 . 2007-08-13 17:39 43008 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-05-14 01:03 . 2007-08-13 17:45 78336 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 54784 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-05-14 01:03 . 2007-08-13 17:36 61952 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 351232 c:\windows\system32\winhttp.dll
+ 2004-08-03 22:56 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2008-08-09 09:06 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2008-08-09 09:06 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2008-08-09 09:06 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll
- 2004-08-03 22:56 . 2007-08-13 17:44 105984 c:\windows\system32\url.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2004-08-03 22:56 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll
+ 2004-08-03 22:56 . 2009-02-06 17:14 110592 c:\windows\system32\services.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 144896 c:\windows\system32\schannel.dll
+ 2004-08-03 22:56 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 399360 c:\windows\system32\rpcss.dll
+ 2001-08-23 11:00 . 2009-05-14 07:42 463550 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2009-03-29 08:53 463550 c:\windows\system32\perfh009.dat
+ 2004-08-03 22:56 . 2006-10-04 08:48 215552 c:\windows\system32\osk.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 215552 c:\windows\system32\osk.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 714752 c:\windows\system32\ntdll.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 723456 c:\windows\system32\lsasrv.dll
+ 2004-08-03 22:56 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
+ 2007-08-13 17:34 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 11:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2007-07-11 11:27 . 2007-07-11 11:27 383488 c:\windows\system32\ieapfltr.dll
+ 2001-08-23 11:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2001-08-23 11:00 . 2007-08-13 16:56 161792 c:\windows\system32\ieakui.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-03 22:56 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-03 22:56 . 2007-08-13 17:35 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-03 21:14 . 2008-06-20 10:45 360320 c:\windows\system32\drivers\tcpip.sys
+ 2004-08-03 21:14 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys
+ 2008-08-09 09:06 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2008-08-09 09:06 . 2009-02-06 16:39 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2008-08-09 09:06 . 2009-02-09 10:20 453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2004-08-03 22:56 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-03 22:56 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2008-08-09 09:08 . 2008-05-27 17:23 765952 c:\windows\system32\dllcache\vgx.dll
- 2008-08-09 09:08 . 2007-08-13 17:54 765952 c:\windows\system32\dllcache\VGX.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-03 22:56 . 2007-08-13 17:44 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-03 21:14 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\tcpip.sys
+ 2004-08-03 22:56 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2004-08-03 21:14 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys
+ 2004-08-03 22:56 . 2009-02-06 17:14 110592 c:\windows\system32\dllcache\services.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 144896 c:\windows\system32\dllcache\schannel.dll
+ 2004-08-03 22:56 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 399360 c:\windows\system32\dllcache\rpcss.dll
+ 2004-08-03 22:56 . 2009-03-06 14:44 283648 c:\windows\system32\dllcache\pdh.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 283648 c:\windows\system32\dllcache\pdh.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 215552 c:\windows\system32\dllcache\osk.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 215552 c:\windows\system32\dllcache\osk.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 714752 c:\windows\system32\dllcache\ntdll.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 723456 c:\windows\system32\dllcache\lsasrv.dll
+ 2004-08-03 22:56 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll
+ 2008-08-09 09:08 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2009-02-20 18:09 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2001-08-23 11:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2001-08-23 11:00 . 2007-08-13 16:56 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-03 22:56 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2008-08-09 09:06 . 2009-02-09 10:20 473088 c:\windows\system32\dllcache\fastprox.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-03 22:56 . 2007-08-13 17:35 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 616960 c:\windows\system32\dllcache\advapi32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 616960 c:\windows\system32\dllcache\advapi32.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 616960 c:\windows\system32\advapi32.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 616960 c:\windows\system32\advapi32.dll
- 2008-11-27 11:34 . 2009-03-01 00:27 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-14 01:03 . 2007-08-13 17:54 818688 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 231424 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-05-14 01:03 . 2007-08-13 17:44 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-05-14 01:03 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-05-14 01:03 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-05-14 01:03 . 2007-08-13 17:44 101376 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 670720 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-05-14 01:03 . 2007-08-13 17:44 192000 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 475648 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 458752 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-05-14 01:03 . 2007-08-13 17:43 622080 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-05-14 01:03 . 2007-08-13 17:34 266752 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 382976 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-05-14 01:03 . 2007-07-11 11:27 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-05-14 01:03 . 2007-08-13 16:56 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 229376 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 152064 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 131584 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-05-14 01:03 . 2007-08-13 17:35 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-05-14 01:03 . 2007-08-13 17:35 346624 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 123904 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 765952 c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2009-05-14 01:03 . 2007-03-06 01:23 371424 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2009-05-14 01:03 . 2007-03-06 01:22 213216 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2004-08-03 22:57 . 2008-06-10 05:07 2376760 c:\windows\system32\WMVCore.dll
+ 2004-08-03 22:56 . 2008-06-10 04:28 1028096 c:\windows\system32\WMNetmgr.dll
+ 2004-08-03 21:17 . 2009-02-09 10:19 1846272 c:\windows\system32\win32k.sys
+ 2004-08-03 22:56 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-03 22:56 . 2008-07-03 13:16 8454656 c:\windows\system32\shell32.dll
+ 2004-08-03 22:56 . 2008-12-20 22:43 1287680 c:\windows\system32\quartz.dll
- 2004-08-03 22:56 . 2008-05-07 05:18 1287680 c:\windows\system32\quartz.dll
- 2004-08-03 21:18 . 2008-08-14 09:58 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 21:18 . 2009-02-06 17:22 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2009-02-06 16:49 2015744 c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 22:59 . 2008-08-14 09:22 2015744 c:\windows\system32\ntkrnlpa.exe
+ 2008-08-29 18:06 . 2008-08-29 18:06 1350664 c:\windows\system32\msxml6.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2007-02-12 15:10 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2008-08-09 11:00 . 2009-05-14 07:32 2144432 c:\windows\system32\FNTCACHE.DAT
- 2008-08-09 11:00 . 2009-03-01 07:50 2144432 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-03 22:57 . 2008-06-10 05:07 2376760 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-03 22:56 . 2008-06-10 04:28 1028096 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2004-08-03 21:17 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-03 22:56 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 22:56 . 2008-07-03 13:16 8454656 c:\windows\system32\dllcache\shell32.dll
+ 2004-08-03 22:56 . 2008-12-20 22:43 1287680 c:\windows\system32\dllcache\quartz.dll
- 2004-08-03 22:56 . 2008-05-07 05:18 1287680 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 19:01 . 2009-02-06 17:24 2180480 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 19:01 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-15 19:01 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2008-07-09 14:25 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2008-11-27 11:34 . 2009-03-01 00:27 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-09-15 15:25 . 2006-09-15 15:25 3611416 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2009-05-14 01:03 . 2007-08-13 17:54 1162240 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 3578368 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 6049280 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-05-14 01:03 . 2007-02-12 15:10 2451312 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-15 19:01 . 2009-02-06 17:24 2180480 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 19:01 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-15 19:01 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-09-22 06:17 . 2009-05-06 22:16 24699336 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"Google Update"="c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2008-12-01 1796856]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-16 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Zeljko\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-7 692224]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18589:TCP"= 18589:TCP:BitComet 18589 TCP
"18589:UDP"= 18589:UDP:BitComet 18589 UDP

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/1/2008 3:23 PM 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/1/2008 3:23 PM 31504]
R2 OracleServiceXE;OracleServiceXE;d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;d:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 1:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2ee3169-6933-11dd-b433-001d7d5242bf}]
\Shell\AutoRun\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1614895754-682003330-1003.job
- c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-06 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = rol.raiffeisenbank.rs/Retail
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: raiffeisenbank.rs\rol
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
FF - ProfilePath - c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\
FF - component: c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-14 11:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(6180)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\program files\Logitech\SetPoint\GameHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\Comodo\COMODO Internet Security\cmdagent.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wdfmgr.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-05-14 11:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 09:45
ComboFix2.txt 2009-05-13 21:08

Pre-Run: 6,955,958,272 bytes free
Post-Run: 6,940,774,400 bytes free

468 --- E O F --- 2009-05-14 01:04

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo pokreni USBNoRisk, priključi flash drive (ako već nije priključen), pređi na Script tab i tamo iskopiraj tekst koji se nalazi unutar Kod polja:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
folder_list_sub: %DRIVE%SYSTEM
delete_blocked:



Klikni Run Script. Nakon nekoliko sekundi klikni desnim tasterom u prozor programa (na Monitor tabu) i izaberi Save log.

Iskopiraj log u temu.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Evo ga log:


USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/15/2009 9:45:18 AM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

Blocked file found: I:\autorun.inf.blocked
----------------------------------------
Content of I:\autorun.inf.blocked
----------------------------------------
[autorun]
open=SYSTEM\FILES\ARMY.exe
;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘Ά

;This is Mainly Used by Driver Utility Dont Remove This File.
action=Open folder to view files
shell\open=Open
shell\open\command=SYSTEM\FILES\ARMY.exe
shell\open\default=1
----------------------------------------

Files referenced from I:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

No Autorun.inf files found on I:
No mountpoint found for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
624d7cb6-80e5-11dd-897e-001d7d5242bf
Drive letter for GUID: I:
SectionStart = 0
SectionEnd = 2
----------------------------------------
Folder list for I:\SYSTEM:
----------------------------------------
d---- I:\SYSTEM\Apps I:\SYSTEM\Apps
--a-- I:\SYSTEM\Apps\LPGDB.xml I:\SYSTEM\Apps\LPGDB.xml
----- I:\SYSTEM\Apps\LPDB.xml I:\SYSTEM\Apps\LPDB.xml
dr-hs I:\SYSTEM\S-3-7-~1 I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
--ahs I:\SYSTEM\S-3-7-~1\Desktop.ini I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini
-r-hs I:\SYSTEM\S-3-7-~1\explorer.exe I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe
dr-hs I:\SYSTEM\G-923-~1 I:\SYSTEM\G-923-321232-3232-32211-23
--ahs I:\SYSTEM\G-923-~1\Desktop.ini I:\SYSTEM\G-923-321232-3232-32211-23\Desktop.ini
dr-hs I:\SYSTEM\FILES I:\SYSTEM\FILES
--ahs I:\SYSTEM\FILES\Desktop.ini I:\SYSTEM\FILES\Desktop.ini
----------------------------------------
Deleting blocked files:
----------------------------------------
Delete: I:\autorun.inf.blocked > Done!
----------------------------------------

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Postupak sličan kao i ranije, samo koristi sledeću skriptu:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
chaser:
folder_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
folder_delete: %DRIVE%SYSTEM\G-923-321232-3232-32211-23



Sačuvaj i postavi log.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Evo stize log:

USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/15/2009 5:02:11 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
624d7cb6-80e5-11dd-897e-001d7d5242bf
Drive letter for GUID: I:
SectionStart = 0
SectionEnd = 3
----------------------------------------
Find desktop.ini files on I:
----------------------------------------
No Desktop.ini files found on I:\
----------------------------------------
Delete folder tree I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896:
----------------------------------------
File lock detected:
USBNoRisk cannot find what locked the file
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe > Error!
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini > Done!
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896 > Error!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom. koristi sledeću skriptu:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
f_copy: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe > c:\badfile.bak
f_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe
folder_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
folder_delete: %DRIVE%SYSTEM\G-923-321232-3232-32211-23




Postavi log u temu.

Upload-uj file: c:\badfile.bak

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 744 korisnika na forumu :: 50 registrovanih, 8 sakrivenih i 686 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Apok, Areal84, ArmyBoss, baza, bojank, borogrubic, BraneS, cetka, Cufo, cvrle312, darcaud, darios, djordje92sm, Doca, Dorcolac, dragonserbia, elenemste, Gagi193, GrobarRomanticar, Insan, Koca Popovic, krkalon, krlebgd77, Marko Marković, Markoni29, MB120mm, Mercury, Miskohd, nedeljkovici, Oluj2.1, pera bager, Rakenica, randja26, raskoljnikov, S2M, sakota79, Sale.S, Sirius, sombrero, Steeeefan, Tas011, tmanda323, Toni, Vlada1389, Vladko, vlvl, vukdra, willie, zajcev1