Molim za proveru loga

1

Molim za proveru loga

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Pozdrav. Prvo bih se zahvalio svima koji pomazu na ovom forumu! Ako neko moze da mi proveri moj log. Nemam ocigledne znakove virusa na kompu, ali imam zarazen USB - ide na univerzitetsku mrezu, tako da... Avira detektuje virus na flashu, ja ga brisem i tako u krug. Kako mogu da ocistim flash? Sto se tice kompa, zanima me da li je i on zarazen (jedan ortak mi kaze da NOD prepoznaje kalendar koji ja koristim - Rainlendar, kao Trojanca i SpyWare...) tako da ako mozete evo pogledajte log i recite mi da li ima Malware-a. Verujem da ima Sad Unapred hvala.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:27 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Aston\aston.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
D:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\svchost.exe
D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Virtual PC\Virtual PC.exe
C:\totalcmd\TOTALCMD.EXE
D:\Program Files\Comodo\COMODO Internet Security\cfpupdat.exe
C:\WINDOWS\explorer.exe
C:\program files\WINAMP\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\download\sve\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = rol.raiffeisenbank.rs/Retail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=C:\Aston\aston.exe ,svchost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2009\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - D:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - D:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: wampapache - Apache Software Foundation - D:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 10969 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12279
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.



-------------------------------------------------------------------------------------




Arrow Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Log ComboFix-a:

ComboFix 09-05-12.06 - Zeljko 05/13/2009 22:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1490 [GMT 2:00]
Running from: d:\download\sve\Ambulanta\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-13 16:27 . 2009-05-13 16:28 -------- d-----w C:\USBNoRisk
2009-05-10 08:36 . 2009-05-10 10:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\Ventrilo
2009-05-10 08:35 . 2009-05-10 08:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 20:02 . 2009-05-05 20:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\teamspeak2
2009-04-21 14:11 . 2009-04-21 14:55 77588 ----a-w c:\windows\War3Unin.dat
2009-04-21 14:11 . 2009-04-21 14:18 2829 ----a-w c:\windows\War3Unin.pif
2009-04-21 14:11 . 2009-04-21 14:18 139264 ----a-w c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 21:00 . 2008-12-12 11:37 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-05-13 16:28 . 2008-10-22 15:41 -------- d-----w c:\program files\Winamp
2009-05-09 07:02 . 2008-12-12 11:38 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-22 08:31 . 2008-08-09 09:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 10:36 . 2008-08-13 12:42 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-20 10:36 . 2008-08-13 12:42 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-20 10:36 . 2008-08-13 12:42 12067 ----atw c:\windows\system32\SIntf16.dll
2009-03-28 07:54 . 2009-03-28 07:54 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-01 07:54 . 2008-08-09 09:43 72352 ----a-w c:\documents and settings\Zeljko\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 00:25 . 2009-03-01 00:25 191200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-11-26 21:28 . 2008-08-12 17:49 17410080 --sha-w c:\windows\system32\drivers\fidbox.dat
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-12-01 14:02 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-12-01 14:02 359040 27A5959C94EE173A063CA06BD14F021A c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"Google Update"="c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2008-12-01 1796856]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-16 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Zeljko\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-7 692224]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18589:TCP"= 18589:TCP:BitComet 18589 TCP
"18589:UDP"= 18589:UDP:BitComet 18589 UDP

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/1/2008 3:23 PM 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/1/2008 3:23 PM 31504]
R2 OracleServiceXE;OracleServiceXE;d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;d:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 1:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43dbe031-fc1c-11dd-8a62-001d7d5242bf}]
\Shell\AutoRun\command - F:\
\Shell\open\Command - rundll32.exe .\\hbdhe.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2ee3169-6933-11dd-b433-001d7d5242bf}]
\Shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15dfd9e-253b-11de-8aa2-001d7d5242bf}]
\Shell\AutoRun\command - 80avp08.com
\Shell\explore\Command - 80avp08.com
\Shell\open\Command - 80avp08.com
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1614895754-682003330-1003.job
- c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-06 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = rol.raiffeisenbank.rs/Retail
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: raiffeisenbank.rs\rol
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
FF - ProfilePath - c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\
FF - component: c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-13 23:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Zeljko\LOCALS~1\Temp\RGI7.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948-)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(7876)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\program files\Logitech\SetPoint\GameHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
d:\program files\Comodo\COMODO Internet Security\cmdagent.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wdfmgr.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\MSN Messenger\usnsvc.exe
d:\program files\Comodo\COMODO Internet Security\cfpupdat.exe
.
**************************************************************************
.
Completion time: 2009-05-13 23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-13 21:08

Pre-Run: 6,522,912,768 bytes free
Post-Run: 7,274,528,768 bytes free

195 --- E O F --- 2008-11-12 19:28





Log sa USBNoRisk-a:


USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/13/2009 6:26:28 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on I:
autorun.inf found on I:
----------------------------------------
File I:\autorun.inf renamed successfully

Content of I:\autorun.inf.blocked
----------------------------------------
[autorun]
open=SYSTEM\FILES\ARMY.exe
;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘Ά

;This is Mainly Used by Driver Utility Dont Remove This File.
action=Open folder to view files
shell\open=Open
shell\open\command=SYSTEM\FILES\ARMY.exe
shell\open\default=1
----------------------------------------

Files referenced from I:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

Sanitized mountpoint for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12279
  • Gde živiš: Höganäs, SE

Arrow Upakuj u jedan zip/rar kompletan folder: C:\qoobox i uploaduj tu arhivu.

Upload link: http://www.mycity.rs/ambulanta-upload.php





Arrow Otvoriti Notepad i iskopirati sledeci tekst:


FileLook::
c:\windows\TEMP\logishrd\LVPrcInj01.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43dbe031-fc1c-11dd-8a62-001d7d5242bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b15dfd9e-253b-11de-8aa2-001d7d5242bf}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Uploadovano!

Evo ide i log iz ComboFix-a:



ComboFix 09-05-12.06 - Zeljko 05/14/2009 11:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1315 [GMT 2:00]
Running from: c:\documents and settings\Zeljko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zeljko\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-14 01:03 . 2009-05-14 01:03 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-13 16:27 . 2009-05-13 16:28 -------- d-----w C:\USBNoRisk
2009-05-10 08:36 . 2009-05-10 10:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\Ventrilo
2009-05-10 08:35 . 2009-05-10 08:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-05 20:02 . 2009-05-05 20:02 -------- d-----w c:\documents and settings\Zeljko\Application Data\teamspeak2
2009-04-21 14:11 . 2009-04-21 14:55 77588 ----a-w c:\windows\War3Unin.dat
2009-04-21 14:11 . 2009-04-21 14:18 2829 ----a-w c:\windows\War3Unin.pif
2009-04-21 14:11 . 2009-04-21 14:18 139264 ----a-w c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 09:37 . 2008-12-12 11:38 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-14 09:37 . 2008-12-12 11:37 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-05-14 07:32 . 2009-03-01 00:30 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-14 01:00 . 2008-11-30 21:36 -------- d-----w c:\program files\Microsoft Virtual PC
2009-05-13 16:28 . 2008-10-22 15:41 -------- d-----w c:\program files\Winamp
2009-04-22 08:31 . 2008-08-09 09:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 10:36 . 2008-08-13 12:42 21840 ----atw c:\windows\system32\SIntfNT.dll
2009-04-20 10:36 . 2008-08-13 12:42 17212 ----atw c:\windows\system32\SIntf32.dll
2009-04-20 10:36 . 2008-08-13 12:42 12067 ----atw c:\windows\system32\SIntf16.dll
2009-03-28 07:54 . 2009-03-28 07:54 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-06 14:44 . 2004-08-03 22:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-03 22:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 07:54 . 2008-08-09 09:43 72352 ----a-w c:\documents and settings\Zeljko\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 00:25 . 2009-03-01 00:25 191200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-20 18:09 . 2004-08-03 22:56 78336 ----a-w c:\windows\system32\ieencode.dll
2008-11-26 21:28 . 2008-08-12 17:49 17410080 --sha-w c:\windows\system32\drivers\fidbox.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\TEMP\logishrd\LVPrcInj01.dll ----
Company: Logitech Inc.
File Description: Camera Helper Library.
File Version: 11.90.1262.0
Product Name: Logitech QuickCam
Copyright: (c) 1996-2008 Logitech. All rights reserved.
Original file name: LVPrcInj.dll
File Size: 109080
Created Time: 2009-05-14 07:37
Modified Time: 2008-12-16 20:59
Accessed Time: 2009-05-14 08:38
MD5: D20DA789C445936988C8B83F53522374
SHA: B5351671E30A0444F40D1DA184699045E6A823BC


((((((((((((((((((((((((((((( SnapShot@2009-05-13_21.02.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-14 09:39 . 2009-05-14 09:39 16384 c:\windows\Temp\Perflib_Perfdata_f8c.dat
+ 2009-05-14 09:38 . 2009-05-14 09:38 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
- 2004-08-03 22:56 . 2004-08-03 22:56 50176 c:\windows\system32\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 50176 c:\windows\system32\utilman.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 35840 c:\windows\system32\umandlg.dll
+ 2004-08-03 22:56 . 2006-10-04 13:33 35840 c:\windows\system32\umandlg.dll
+ 2008-07-14 11:09 . 2008-10-22 09:47 62976 c:\windows\system32\tzchange.exe
- 2008-07-14 11:09 . 2008-07-14 11:09 62976 c:\windows\system32\tzchange.exe
+ 2008-08-09 09:42 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2008-08-09 09:42 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-03 22:56 . 2009-02-03 20:08 55808 c:\windows\system32\secur32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 55808 c:\windows\system32\secur32.dll
+ 2001-08-23 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-03 22:56 . 2007-08-13 17:36 44544 c:\windows\system32\pngfilt.dll
- 2001-08-23 11:00 . 2009-03-29 08:53 79854 c:\windows\system32\perfc009.dat
+ 2001-08-23 11:00 . 2009-05-14 07:42 79854 c:\windows\system32\perfc009.dat
- 2004-08-03 22:56 . 2004-08-03 22:56 53760 c:\windows\system32\narrator.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 53760 c:\windows\system32\narrator.exe
+ 2008-08-09 09:06 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-03 22:56 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 66560 c:\windows\system32\mtxclu.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll
- 2008-08-09 09:06 . 2004-08-03 22:56 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-03 22:56 . 2006-10-04 08:48 72704 c:\windows\system32\magnify.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 72704 c:\windows\system32\magnify.exe
- 2004-08-03 22:56 . 2005-01-28 11:44 96768 c:\windows\system32\logagent.exe
+ 2004-08-03 22:56 . 2008-06-10 03:52 96768 c:\windows\system32\logagent.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-13 17:39 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-03 22:56 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 17:36 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 50176 c:\windows\system32\dllcache\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 50176 c:\windows\system32\dllcache\utilman.exe
+ 2004-08-03 22:56 . 2006-10-04 13:33 35840 c:\windows\system32\dllcache\umandlg.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 35840 c:\windows\system32\dllcache\umandlg.dll
+ 2004-08-03 22:56 . 2009-02-03 20:08 55808 c:\windows\system32\dllcache\secur32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 55808 c:\windows\system32\dllcache\secur32.dll
+ 2001-08-23 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe
- 2004-08-03 22:56 . 2007-08-13 17:36 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 53760 c:\windows\system32\dllcache\narrator.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 53760 c:\windows\system32\dllcache\narrator.exe
+ 2008-08-09 09:06 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2004-08-03 22:56 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll
- 2008-08-09 09:06 . 2004-08-03 22:56 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2004-08-03 22:56 . 2006-10-04 08:48 72704 c:\windows\system32\dllcache\magnify.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 72704 c:\windows\system32\dllcache\magnify.exe
+ 2004-08-03 22:56 . 2008-06-10 03:52 96768 c:\windows\system32\dllcache\logagent.exe
- 2004-08-03 22:56 . 2005-01-28 11:44 96768 c:\windows\system32\dllcache\logagent.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-02-20 10:20 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-03 22:56 . 2007-08-13 17:45 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-03 22:56 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-02-20 18:09 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-08-09 09:06 . 2005-07-26 04:39 60416 c:\windows\system32\dllcache\colbact.dll
+ 2008-08-09 09:06 . 2005-07-26 04:39 60416 c:\windows\system32\colbact.dll
+ 2008-11-27 11:34 . 2009-05-14 01:02 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-14 01:03 . 2007-08-13 17:36 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 50688 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 27136 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 13312 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-05-14 01:03 . 2007-08-13 17:39 43008 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-05-14 01:03 . 2007-08-13 17:45 78336 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 54784 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-05-14 01:03 . 2007-08-13 17:36 61952 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 351232 c:\windows\system32\winhttp.dll
+ 2004-08-03 22:56 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2008-08-09 09:06 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2008-08-09 09:06 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2008-08-09 09:06 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll
- 2004-08-03 22:56 . 2007-08-13 17:44 105984 c:\windows\system32\url.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2004-08-03 22:56 . 2008-10-03 10:15 247326 c:\windows\system32\strmdll.dll
+ 2004-08-03 22:56 . 2009-02-06 17:14 110592 c:\windows\system32\services.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 144896 c:\windows\system32\schannel.dll
+ 2004-08-03 22:56 . 2008-12-05 07:12 144896 c:\windows\system32\schannel.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 399360 c:\windows\system32\rpcss.dll
+ 2001-08-23 11:00 . 2009-05-14 07:42 463550 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2009-03-29 08:53 463550 c:\windows\system32\perfh009.dat
+ 2004-08-03 22:56 . 2006-10-04 08:48 215552 c:\windows\system32\osk.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 215552 c:\windows\system32\osk.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 714752 c:\windows\system32\ntdll.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 723456 c:\windows\system32\lsasrv.dll
+ 2004-08-03 22:56 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
+ 2007-08-13 17:34 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 11:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2007-07-11 11:27 . 2007-07-11 11:27 383488 c:\windows\system32\ieapfltr.dll
+ 2001-08-23 11:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2001-08-23 11:00 . 2007-08-13 16:56 161792 c:\windows\system32\ieakui.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-03 22:56 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-03 22:56 . 2007-08-13 17:35 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-03 21:14 . 2008-06-20 10:45 360320 c:\windows\system32\drivers\tcpip.sys
+ 2004-08-03 21:14 . 2008-12-11 11:57 333184 c:\windows\system32\drivers\srv.sys
+ 2008-08-09 09:06 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
+ 2008-08-09 09:06 . 2009-02-06 16:39 227840 c:\windows\system32\dllcache\wmiprvse.exe
+ 2008-08-09 09:06 . 2009-02-09 10:20 453120 c:\windows\system32\dllcache\wmiprvsd.dll
+ 2004-08-03 22:56 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-03 22:56 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2008-08-09 09:08 . 2008-05-27 17:23 765952 c:\windows\system32\dllcache\vgx.dll
- 2008-08-09 09:08 . 2007-08-13 17:54 765952 c:\windows\system32\dllcache\VGX.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-03 22:56 . 2007-08-13 17:44 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-03 21:14 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\tcpip.sys
+ 2004-08-03 22:56 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2004-08-03 21:14 . 2008-12-11 11:57 333184 c:\windows\system32\dllcache\srv.sys
+ 2004-08-03 22:56 . 2009-02-06 17:14 110592 c:\windows\system32\dllcache\services.exe
- 2004-08-03 22:56 . 2004-08-03 22:56 144896 c:\windows\system32\dllcache\schannel.dll
+ 2004-08-03 22:56 . 2008-12-05 07:12 144896 c:\windows\system32\dllcache\schannel.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 399360 c:\windows\system32\dllcache\rpcss.dll
+ 2004-08-03 22:56 . 2009-03-06 14:44 283648 c:\windows\system32\dllcache\pdh.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 283648 c:\windows\system32\dllcache\pdh.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 215552 c:\windows\system32\dllcache\osk.exe
+ 2004-08-03 22:56 . 2006-10-04 08:48 215552 c:\windows\system32\dllcache\osk.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 714752 c:\windows\system32\dllcache\ntdll.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-08-09 09:06 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 723456 c:\windows\system32\dllcache\lsasrv.dll
+ 2004-08-03 22:56 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll
+ 2008-08-09 09:08 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2009-02-20 18:09 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2001-08-23 11:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2001-08-23 11:00 . 2007-08-13 16:56 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-03 22:56 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
+ 2008-08-09 09:06 . 2009-02-09 10:20 473088 c:\windows\system32\dllcache\fastprox.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-03 22:56 . 2007-08-13 17:35 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 616960 c:\windows\system32\dllcache\advapi32.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 616960 c:\windows\system32\dllcache\advapi32.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2004-08-03 22:56 . 2004-08-03 22:56 616960 c:\windows\system32\advapi32.dll
+ 2004-08-03 22:56 . 2009-02-09 10:20 616960 c:\windows\system32\advapi32.dll
- 2008-11-27 11:34 . 2009-03-01 00:27 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-05-14 01:03 . 2007-08-13 17:54 818688 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 231424 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-05-14 01:03 . 2007-08-13 17:44 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-05-14 01:03 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-05-14 01:03 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-05-14 01:03 . 2007-08-13 17:44 101376 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 670720 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-05-14 01:03 . 2007-08-13 17:44 192000 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 475648 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 458752 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-05-14 01:03 . 2007-08-13 17:43 622080 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-05-14 01:03 . 2007-08-13 17:34 266752 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 382976 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-05-14 01:03 . 2007-07-11 11:27 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-05-14 01:03 . 2007-08-13 16:56 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 229376 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 152064 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 131584 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-05-14 01:03 . 2007-08-13 17:35 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-05-14 01:03 . 2007-08-13 17:35 346624 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-05-14 01:03 . 2007-08-13 17:39 123904 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 765952 c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2009-05-14 01:03 . 2007-03-06 01:23 371424 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2009-05-14 01:03 . 2007-03-06 01:22 213216 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2004-08-03 22:57 . 2008-06-10 05:07 2376760 c:\windows\system32\WMVCore.dll
+ 2004-08-03 22:56 . 2008-06-10 04:28 1028096 c:\windows\system32\WMNetmgr.dll
+ 2004-08-03 21:17 . 2009-02-09 10:19 1846272 c:\windows\system32\win32k.sys
+ 2004-08-03 22:56 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-03 22:56 . 2008-07-03 13:16 8454656 c:\windows\system32\shell32.dll
+ 2004-08-03 22:56 . 2008-12-20 22:43 1287680 c:\windows\system32\quartz.dll
- 2004-08-03 22:56 . 2008-05-07 05:18 1287680 c:\windows\system32\quartz.dll
- 2004-08-03 21:18 . 2008-08-14 09:58 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 21:18 . 2009-02-06 17:22 2136064 c:\windows\system32\ntoskrnl.exe
+ 2004-08-03 22:59 . 2009-02-06 16:49 2015744 c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 22:59 . 2008-08-14 09:22 2015744 c:\windows\system32\ntkrnlpa.exe
+ 2008-08-29 18:06 . 2008-08-29 18:06 1350664 c:\windows\system32\msxml6.dll
+ 2004-08-03 22:56 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2007-08-13 17:54 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2007-02-12 15:10 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
+ 2008-08-09 11:00 . 2009-05-14 07:32 2144432 c:\windows\system32\FNTCACHE.DAT
- 2008-08-09 11:00 . 2009-03-01 07:50 2144432 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-03 22:57 . 2008-06-10 05:07 2376760 c:\windows\system32\dllcache\WMVCore.dll
+ 2004-08-03 22:56 . 2008-06-10 04:28 1028096 c:\windows\system32\dllcache\WMNetmgr.dll
+ 2004-08-03 21:17 . 2009-02-09 10:19 1846272 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-03 22:56 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-03 22:56 . 2008-07-03 13:16 8454656 c:\windows\system32\dllcache\shell32.dll
+ 2004-08-03 22:56 . 2008-12-20 22:43 1287680 c:\windows\system32\dllcache\quartz.dll
- 2004-08-03 22:56 . 2008-05-07 05:18 1287680 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 19:01 . 2009-02-06 17:24 2180480 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 19:01 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-15 19:01 . 2008-08-14 09:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-08-03 22:56 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2008-07-09 14:25 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
- 2008-11-27 11:34 . 2009-03-01 00:27 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-11-27 11:34 . 2009-03-01 00:27 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-11-27 11:34 . 2009-05-14 01:02 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-09-15 15:25 . 2006-09-15 15:25 3611416 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2009-05-14 01:03 . 2007-08-13 17:54 1162240 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 3578368 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-05-14 01:03 . 2007-08-13 17:54 6049280 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-05-14 01:03 . 2007-02-12 15:10 2451312 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-15 19:01 . 2009-02-06 17:24 2180480 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 19:01 . 2009-02-06 16:49 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 19:01 . 2008-08-14 09:22 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 19:01 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-15 19:01 . 2008-08-14 09:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-09-22 06:17 . 2009-05-06 22:16 24699336 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"Google Update"="c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2008-12-01 1796856]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-16 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-19 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\Zeljko\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-7 692224]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18589:TCP"= 18589:TCP:BitComet 18589 TCP
"18589:UDP"= 18589:UDP:BitComet 18589 UDP

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [12/1/2008 3:23 PM 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/1/2008 3:23 PM 31504]
R2 OracleServiceXE;OracleServiceXE;d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> d:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;d:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 1:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> d:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2ee3169-6933-11dd-b433-001d7d5242bf}]
\Shell\AutoRun\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1614895754-682003330-1003.job
- c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-06 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = rol.raiffeisenbank.rs/Retail
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: raiffeisenbank.rs\rol
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://rol.raiffeisenbank.rs/RetailDLL/FSINT.dll
FF - ProfilePath - c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\
FF - component: c:\documents and settings\Zeljko\Application Data\Mozilla\Firefox\Profiles\66fn43p0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Zeljko\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-14 11:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(6180)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\program files\Logitech\SetPoint\GameHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\Comodo\COMODO Internet Security\cmdagent.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
d:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\wdfmgr.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
d:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-05-14 11:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 09:45
ComboFix2.txt 2009-05-13 21:08

Pre-Run: 6,955,958,272 bytes free
Post-Run: 6,940,774,400 bytes free

468 --- E O F --- 2009-05-14 01:04

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12279
  • Gde živiš: Höganäs, SE

Ponovo pokreni USBNoRisk, priključi flash drive (ako već nije priključen), pređi na Script tab i tamo iskopiraj tekst koji se nalazi unutar Kod polja:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
folder_list_sub: %DRIVE%SYSTEM
delete_blocked:



Klikni Run Script. Nakon nekoliko sekundi klikni desnim tasterom u prozor programa (na Monitor tabu) i izaberi Save log.

Iskopiraj log u temu.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Evo ga log:


USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/15/2009 9:45:18 AM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

Blocked file found: I:\autorun.inf.blocked
----------------------------------------
Content of I:\autorun.inf.blocked
----------------------------------------
[autorun]
open=SYSTEM\FILES\ARMY.exe
;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘Ά

;This is Mainly Used by Driver Utility Dont Remove This File.
action=Open folder to view files
shell\open=Open
shell\open\command=SYSTEM\FILES\ARMY.exe
shell\open\default=1
----------------------------------------

Files referenced from I:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------

No Autorun.inf files found on I:
No mountpoint found for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
624d7cb6-80e5-11dd-897e-001d7d5242bf
Drive letter for GUID: I:
SectionStart = 0
SectionEnd = 2
----------------------------------------
Folder list for I:\SYSTEM:
----------------------------------------
d---- I:\SYSTEM\Apps I:\SYSTEM\Apps
--a-- I:\SYSTEM\Apps\LPGDB.xml I:\SYSTEM\Apps\LPGDB.xml
----- I:\SYSTEM\Apps\LPDB.xml I:\SYSTEM\Apps\LPDB.xml
dr-hs I:\SYSTEM\S-3-7-~1 I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
--ahs I:\SYSTEM\S-3-7-~1\Desktop.ini I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini
-r-hs I:\SYSTEM\S-3-7-~1\explorer.exe I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe
dr-hs I:\SYSTEM\G-923-~1 I:\SYSTEM\G-923-321232-3232-32211-23
--ahs I:\SYSTEM\G-923-~1\Desktop.ini I:\SYSTEM\G-923-321232-3232-32211-23\Desktop.ini
dr-hs I:\SYSTEM\FILES I:\SYSTEM\FILES
--ahs I:\SYSTEM\FILES\Desktop.ini I:\SYSTEM\FILES\Desktop.ini
----------------------------------------
Deleting blocked files:
----------------------------------------
Delete: I:\autorun.inf.blocked > Done!
----------------------------------------

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12279
  • Gde živiš: Höganäs, SE

Postupak sličan kao i ranije, samo koristi sledeću skriptu:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
chaser:
folder_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
folder_delete: %DRIVE%SYSTEM\G-923-321232-3232-32211-23



Sačuvaj i postavi log.

offline
  • Pridružio: 13 Maj 2009
  • Poruke: 10

Evo stize log:

USBNoRisk 2.2 09 May 2009 by bobby

Started at 5/15/2009 5:02:11 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {624d7cb6-80e5-11dd-897e-001d7d5242bf}
========================================

Searching for other storage...
----------------------------------------
C: {953827cf-6601-11dd-881a-806d6172696f}
D: {953827d0-6601-11dd-881a-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 624d7cb6-80e5-11dd-897e-001d7d5242bf
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 953827cf-6601-11dd-881a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 953827d0-6601-11dd-881a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
624d7cb6-80e5-11dd-897e-001d7d5242bf
Drive letter for GUID: I:
SectionStart = 0
SectionEnd = 3
----------------------------------------
Find desktop.ini files on I:
----------------------------------------
No Desktop.ini files found on I:\
----------------------------------------
Delete folder tree I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896:
----------------------------------------
File lock detected:
USBNoRisk cannot find what locked the file
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe > Error!
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\Desktop.ini > Done!
Delete: I:\SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896 > Error!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12279
  • Gde živiš: Höganäs, SE

Idemo još jednom. koristi sledeću skriptu:


{624d7cb6-80e5-11dd-897e-001d7d5242bf}
f_copy: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe > c:\badfile.bak
f_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896\explorer.exe
folder_delete: %DRIVE%SYSTEM\S-3-7-89-2225458569-9856321456-454423558-8896
folder_delete: %DRIVE%SYSTEM\G-923-321232-3232-32211-23




Postavi log u temu.

Upload-uj file: c:\badfile.bak

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 658 korisnika na forumu :: 49 registrovanih, 7 sakrivenih i 602 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 1567 - dana 15 Jul 2016 19:18

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, Apok, asknoone84 2, babaroga2, bato3, bojank, bulovic, chester_perry, djordje92sm, DJUNTA, dragon986, dzoni25, goxin, Hektor, igorkozar83, indja2, Kenanjoz, Kruger, krunomiletic5, Kubovac, lacko2, Libertas2, MarKhan, MB120mm, mean_machine, MegaVLAdaR, Mercury, miodrag2, Mirage 2000N, Mixelotti, MORAVA1, Oluj2.1, purke622, racerx11080, rmandaric, sakota79, Skiper1, Suva planina, trajkoni018, username, vasa.93, versus, Vik2, VJ, vlvl, Voja1978, vukdra, wizzardone