Win32.Sality virus

1

Win32.Sality virus

offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Ja sam maler nad malerima.Uzmem ekterni hard od mog druga da prebacim podatke jer sam slucajno formatirao particiju od 400gb..I na tom hardu je virus(bar ja mislim) i ouf eto opet tsk mng has been disabled.
http://www.mycity.rs/Arhiva-Ambulante/Task-manager.....tml#875081 ovde smo se ja i dr bora pomucili da ga ocistimo



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:31 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20978-)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Runtime Software\GetDataBack for NTFS\gdbnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dvvsb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkqsk.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintbgxl.exe
C:\Documents and Settings\Administrator\Desktop\5252.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: IsoBuster Toolbar - {266fcdca-7bb3-4da7-b3bf-f845dea2ebd6} - C:\Program Files\IsoBuster\tbIso1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'd:\program files\vmware\vmware workstation\vsocklib.dll' missing
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe

--
End of file - 7012 bytes

Dopuna: 21 Mar 2009 15:21

Oh da koristim antivirus nod32 v3.0xxx ili tako nesto nego sam ga iskljucio iz servisa juce jer mi je pravo neke probleme Sad

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Opet ti. I opet ja. Razz



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Pozdrav i tebi dr boro Smile Smile Razz
Evo ga log.
Napomena combofix sam pokrenuo dva puta(slucajno) ali iz loga milsim da je to cf primetio i napisao sta je detetkovao i 1. put










ComboFix 09-03-19.02 - Administrator 2009-03-21 16:39:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2687 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated)
FW: ESET Personal firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\packet.dll
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\wpcap.dll
.
---- Previous Run -------
.
c:\windows\system32\Dvbpws.dll
c:\windows\system32\MSSbs.sys

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2089-03-16 07:16 . 2089-03-16 07:16 <DIR> d-------- c:\windows\system32\MAGIX
2089-03-16 07:16 . 2089-03-16 07:16 <DIR> d-------- c:\program files\MAGIX
2089-03-16 07:16 . 2089-03-16 07:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\MAGIX
2089-03-16 07:16 . 2089-03-16 07:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MAGIX
2089-03-16 07:16 . 2008-04-15 15:14 700,416 --a------ c:\windows\system32\mgxoschk.dll
2089-03-16 07:16 . 2007-04-27 09:43 120,200 --a------ c:\windows\system32\DLLDEV32i.dll
2089-03-16 07:16 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2089-03-16 07:16 . 2089-03-16 07:16 6,211 --a------ c:\windows\mgxoschk.ini
2089-03-08 10:59 . 2089-03-08 10:59 <DIR> d-------- c:\program files\WinHTTrack
2009-03-21 16:43 . 2009-03-21 16:43 <DIR> d-------- c:\windows\system32\xircom
2009-03-21 16:43 . 2009-03-21 16:43 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-21 16:38 . 2009-03-21 16:38 <DIR> d-------- C:\32788R22FWJFW
2009-03-21 14:58 . 2009-03-21 15:06 <DIR> d-------- c:\program files\AlienGUIse
2009-03-21 14:58 . 2003-02-26 22:27 36,864 --a------ c:\windows\system32\wbsys.dll
2009-03-21 14:58 . 2009-03-21 14:58 56 --a------ c:\windows\wb.ini
2009-03-21 14:51 . 2009-03-21 14:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\teamspeak2
2009-03-21 12:23 . 2009-03-21 13:39 50 --a------ c:\windows\MegaManager.INI
2009-03-21 12:22 . 2009-03-21 12:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\foobar2000
2009-03-21 12:20 . 2009-03-21 12:20 <DIR> d-------- c:\program files\Megaupload
2009-03-21 12:20 . 2009-03-21 12:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Megaupload
2009-03-21 11:09 . 2009-03-21 11:09 <DIR> d-------- C:\Lyrics
2009-03-21 11:09 . 2009-03-21 11:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MiniLyrics
2009-03-20 12:08 . 2009-03-20 12:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\dvdcss
2009-03-20 12:06 . 2009-03-20 12:06 <DIR> d-------- c:\program files\Nenad's Productions and Programs
2009-03-20 10:10 . 2009-03-20 10:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ACD Systems
2009-03-20 09:25 . 2009-03-20 09:25 <DIR> d-------- c:\program files\Recuva
2009-03-20 09:09 . 2009-03-20 09:09 <DIR> d-------- c:\program files\Runtime Software
2009-03-19 06:42 . 2009-03-19 06:42 8,192 -rahs---- C:\BOOTSECT.BAK
2009-03-18 21:07 . 2009-03-18 21:30 1,908 --a------ c:\windows\diagwrn.xml
2009-03-18 21:07 . 2009-03-18 21:30 1,908 --a------ c:\windows\diagerr.xml
2009-03-18 12:38 . 2009-03-18 12:38 <DIR> d-------- c:\program files\ICQ6Toolbar
2009-03-18 12:38 . 2009-03-18 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\ICQ
2009-03-18 12:38 . 2009-03-18 12:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ICQ
2009-03-18 12:37 . 2009-03-18 12:39 <DIR> d-------- c:\program files\ICQ6.5
2009-03-18 09:21 . 2009-03-18 09:21 <DIR> d-------- c:\program files\NVIDIA Corporation
2009-03-18 09:15 . 2009-03-18 09:16 <DIR> d-------- c:\program files\NVIDIA nTune Performance Application
2009-03-15 09:45 . 2009-03-15 09:45 <DIR> d-------- c:\program files\BearShare Applications
2009-03-15 09:45 . 2008-09-25 14:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-03-15 09:30 . 2009-03-15 09:30 <DIR> d-------- c:\program files\Stardock
2009-03-15 09:30 . 2009-03-21 14:58 <DIR> d-------- c:\program files\Common Files\Stardock
2009-03-15 05:53 . 2009-03-21 11:44 <DIR> d-------- c:\program files\Flock
2009-03-15 05:53 . 2009-03-15 05:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Flock
2009-03-15 00:41 . 2009-03-15 00:45 <DIR> d-------- c:\program files\Color_Cop
2009-03-15 00:41 . 2009-03-15 00:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ColorCop
2009-03-14 22:59 . 2009-03-14 22:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-03-14 22:31 . 2009-03-14 22:31 <DIR> d-------- c:\program files\Microsoft Bootvis
2009-03-14 20:43 . 2009-03-14 20:43 <DIR> d-------- c:\program files\MozBackup
2009-03-14 05:02 . 2009-03-14 05:03 <DIR> d-------- c:\program files\Counter-Strike 1.621
2009-03-14 04:48 . 2009-03-14 04:48 <DIR> d-------- c:\windows\system32\AGEIA
2009-03-14 04:48 . 2009-03-14 04:48 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-14 04:48 . 2009-03-14 04:48 <DIR> d-------- c:\program files\AGEIA Technologies
2009-03-14 00:20 . 2009-03-14 00:20 <DIR> d-------- c:\program files\tuxguitar-1.0-jet
2009-03-14 00:20 . 2009-03-14 00:20 <DIR> d-------- c:\documents and settings\Administrator\.tuxguitar-1.0
2009-03-13 23:08 . 2009-03-13 23:08 <DIR> d-------- c:\program files\Common Files\DirectX
2009-03-13 22:39 . 2008-04-07 14:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
2009-03-13 22:39 . 2008-04-07 14:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-13 22:29 . 2009-03-13 22:29 <DIR> d-------- c:\program files\Paint.NET
2009-03-13 22:24 . 2009-03-18 12:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 22:24 . 2009-03-13 22:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-13 22:24 . 2009-03-13 22:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-13 22:24 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 22:24 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-13 22:22 . 2009-03-13 22:22 <DIR> d-------- c:\program files\Acala 3GP Movies Free
2009-03-13 22:22 . 2009-03-13 22:23 <DIR> dr------- c:\documents and settings\Administrator\Application Data\SpaceTime 3D
2009-03-13 22:22 . 2004-01-27 20:50 1,024,000 --a------ c:\windows\system32\3ivx.dll
2009-03-13 22:22 . 2004-01-27 20:51 290,816 --a------ c:\windows\system32\3ivxDSDecoder.ax
2009-03-13 22:21 . 2009-03-13 22:21 <DIR> d-------- c:\program files\foobar2000
2009-03-13 22:20 . 2009-03-13 22:20 <DIR> d-------- c:\program files\nLite
2009-03-13 21:29 . 2009-03-13 21:29 <DIR> d-------- c:\program files\Screen Capturer
2009-03-13 21:29 . 2009-03-13 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScreenCapture
2009-03-13 09:17 . 2009-03-13 09:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Thinstall
2009-03-13 07:46 . 2009-03-13 08:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Download Manager
2009-03-13 07:45 . 2009-03-13 07:45 <DIR> d-------- c:\windows\Sun
2009-03-13 07:04 . 2009-03-13 07:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GRETECH
2009-03-12 18:47 . 2009-03-12 18:47 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-11 18:23 . 2009-03-11 18:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Free Sound Recorder
2009-03-11 18:22 . 2009-03-11 18:23 <DIR> d-------- c:\program files\Free Sound Recorder
2009-03-11 18:22 . 2005-05-17 12:37 1,986,560 --a------ c:\windows\system32\NCTAudioFile2.dll
2009-03-11 18:22 . 2005-05-18 11:52 1,212,416 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-03-11 18:22 . 2005-04-15 12:08 880,640 --a------ c:\windows\system32\NCTAudioEditor2.dll
2009-03-11 18:22 . 2004-11-04 13:31 835,584 --a------ c:\windows\system32\NCTAudioCDGrabber2.dll
2009-03-11 18:22 . 2005-04-04 17:21 602,112 --a------ c:\windows\system32\NCTAudioTransform2.dll
2009-03-11 18:22 . 2005-03-28 15:54 479,232 --a------ c:\windows\system32\NCTAudioVisualization2.dll
2009-03-11 18:22 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioRecord2.dll
2009-03-11 18:22 . 2005-04-25 13:01 458,752 --a------ c:\windows\system32\NCTAudioPlayer2.dll
2009-03-11 18:22 . 2005-03-28 15:52 417,792 --a------ c:\windows\system32\NCTTextToAudio2.dll
2009-03-11 18:22 . 2005-02-24 11:51 348,160 --a------ c:\windows\system32\NCTWMAFile2.dll
2009-03-11 18:22 . 2006-03-23 12:56 113,486 --a------ c:\windows\system32\NCTWMAProfiles.prx
2009-03-11 17:23 . 2009-03-11 17:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2009-03-11 17:23 . 2009-03-11 17:24 2,828 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-03-11 17:23 . 2009-03-11 17:23 8 -r-hs---- c:\documents and settings\All Users\Application Data\325F841AFA.sys
2009-03-11 17:22 . 2009-03-11 17:22 <DIR> d-------- c:\program files\Common Files\Protexis
2009-03-11 17:22 . 2009-03-11 17:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Corel
2009-03-11 17:12 . 2009-03-11 17:12 <DIR> d-------- c:\program files\Common Files\Corel
2009-03-11 17:10 . 2009-03-17 22:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\VMware
2009-03-11 17:02 . 2009-03-11 17:02 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2009-03-11 16:17 . 2009-03-11 16:17 <DIR> d-------- c:\program files\Eggiz
2009-03-10 19:05 . 2009-03-14 00:18 <DIR> d-------- C:\WinFast WorkArea
2009-03-10 19:05 . 2009-03-18 12:38 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2
2009-03-10 18:33 . 2009-03-13 08:45 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\VMware
2009-03-10 14:25 . 2009-03-10 14:25 <DIR> d-------- C:\Autodesk
2009-03-10 14:03 . 2009-03-10 14:03 <DIR> d-------- C:\Python26
2009-03-10 13:59 . 2009-03-10 13:59 <DIR> d-------- c:\program files\Blender Foundation
2009-03-10 13:59 . 2009-03-10 13:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Blender Foundation
2009-03-10 13:56 . 2009-03-10 13:56 <DIR> d-------- c:\documents and settings\All Users\progeSOFT
2009-03-10 13:56 . 2009-03-10 13:56 <DIR> d-------- c:\documents and settings\Administrator\Application Data\progeSOFT
2009-03-10 13:32 . 2005-10-14 22:42 46,592 --a------ c:\windows\system32\hpzll43a.dll
2009-03-10 13:32 . 2008-04-13 22:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-10 13:30 . 2009-03-10 13:30 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-10 13:29 . 2009-03-10 13:29 <DIR> d-------- c:\program files\HP
2009-03-10 13:17 . 2009-03-10 13:17 <DIR> d-------- c:\program files\Minilyrics
2009-03-10 13:13 . 2009-03-10 13:13 <DIR> d-------- C:\FPC
2009-03-10 13:07 . 2008-07-10 17:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-03-10 13:07 . 2008-07-10 17:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-03-10 13:06 . 2009-03-10 13:06 <DIR> d-------- c:\windows\system32\RsFx
2009-03-10 13:05 . 2009-03-10 13:05 <DIR> d-------- c:\program files\MSXML 6.0
2009-03-10 13:03 . 2009-03-10 13:03 <DIR> d-------- c:\program files\Microsoft Synchronization Services
2009-03-10 13:03 . 2009-03-10 13:03 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-03-10 13:03 . 2009-03-10 13:06 <DIR> d-------- c:\program files\Microsoft SQL Server
2009-03-10 13:01 . 2009-03-10 13:03 <DIR> d-------- c:\program files\Microsoft Visual Studio 9.0
2009-03-10 13:00 . 2009-03-10 13:00 <DIR> d-------- c:\program files\Microsoft SDKs
2009-03-10 12:39 . 2009-03-10 12:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\VMware
2009-03-10 12:38 . 2008-09-18 23:11 723,504 --a------ c:\windows\system32\vnetlib.dll
2009-03-10 12:38 . 2008-09-18 23:11 399,920 --a------ c:\windows\system32\vmnat.exe
2009-03-10 12:38 . 2008-09-18 23:11 326,192 --a------ c:\windows\system32\vmnetdhcp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 11:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 17:46 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-07 05:20 16,608 ----a-w c:\windows\gdrv.sys
2009-03-07 05:00 --------- d-----w c:\program files\Yahoo!
2009-03-07 04:59 --------- d-----w c:\program files\Realtek
2009-03-07 04:59 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
2009-03-07 04:56 315,392 ----a-w c:\windows\HideWin.exe
2009-03-07 04:54 --------- d-----w c:\program files\Intel
2009-03-07 04:54 --------- d-----w c:\program files\GIGABYTE
2009-03-07 04:51 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-03-07 04:48 --------- d-----w c:\program files\Reference Assemblies
2009-03-07 04:48 --------- d-----w c:\program files\MSBuild
2009-03-07 04:45 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-07 04:42 --------- d-----w c:\program files\Windows Desktop Search
2009-03-07 04:42 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-17 02:09 58,112 ----a-w c:\windows\system32\drivers\vdmindvd.sys
2009-02-17 02:09 51,712 ----a-w c:\windows\system32\drivers\tosdvd.sys
2009-02-17 02:09 262,528 ----a-w c:\windows\system32\drivers\cinemst2.sys
2009-02-17 02:09 21,376 ----a-w c:\windows\system32\drivers\tsbvcap.sys
2009-02-17 02:09 18,688 ----a-w c:\windows\system32\drivers\cdaudio.sys
2009-02-17 02:09 12,160 ----a-w c:\windows\system32\drivers\fsvga.sys
2009-02-17 02:09 12,032 ----a-w c:\windows\system32\drivers\riodrv.sys
2009-02-17 02:09 12,032 ----a-w c:\windows\system32\drivers\rio8drv.sys
2009-02-17 02:09 12,032 ----a-w c:\windows\system32\drivers\nikedrv.sys
2009-02-17 02:09 11,776 ----a-w c:\windows\system32\drivers\cpqdap01.sys
2009-02-17 01:55 361,600 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-02-17 01:51 82,944 ----a-w c:\windows\system32\drivers\wudfrd.sys
2009-02-17 01:51 77,568 ----a-w c:\windows\system32\drivers\wudfpf.sys
2009-02-17 01:51 38,528 ----a-w c:\windows\system32\drivers\wpdusb.sys
2009-02-17 01:50 62,848 ----a-w c:\windows\system32\drivers\rspndr.sys
2009-02-17 01:45 133,632 ----a-w c:\windows\system32\drivers\exfat.sys
2009-02-17 01:38 81,792 ----a-w c:\windows\system32\drivers\videoprt.sys
2009-02-17 01:38 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2009-02-17 01:38 225,856 ----a-w c:\windows\system32\drivers\tcpip6.sys
2009-02-17 01:37 91,776 ----a-w c:\windows\system32\drivers\ndiswan.sys
2009-02-17 01:37 30,592 ----a-w c:\windows\system32\drivers\rndismp.sys
2009-02-17 01:37 203,136 ----a-w c:\windows\system32\drivers\RMCast.sys
2009-02-17 01:37 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-17 01:37 174,848 ----a-w c:\windows\system32\drivers\rdbss.sys
2009-02-17 01:37 139,656 ----a-w c:\windows\system32\drivers\rdpwd.sys
2009-02-17 01:37 105,344 ----a-w c:\windows\system32\drivers\mup.sys
2009-02-17 01:35 92,544 ----a-w c:\windows\system32\drivers\mqac.sys
2009-02-17 01:35 456,704 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2009-02-17 01:35 180,096 ----a-w c:\windows\system32\drivers\mrxdav.sys
2009-02-17 01:34 9,216 ----a-w c:\windows\system32\drivers\fs_rec.sys
2009-02-17 01:34 62,976 ----a-w c:\windows\system32\drivers\cdrom.sys
2009-02-17 01:34 36,352 ----a-w c:\windows\system32\drivers\disk.sys
2009-02-17 01:34 272,128 ----a-w c:\windows\system32\drivers\bthport.sys
2009-02-17 01:34 138,496 ----a-w c:\windows\system32\drivers\afd.sys
2009-02-17 01:34 1,053,696 ----a-w c:\windows\explorer.exe
2009-01-09 18:19 1,089,593 ----a-r c:\windows\SET4.tmp
.

------- Sigcheck -------

2009-02-17 02:39 818688 f503ab79527137ad1ffdf27287993e20 c:\windows\system32\wininet.dll

2009-02-17 02:55 361600 25a740d70e8007814a48d3fa1b34fa34 c:\windows\system32\drivers\tcpip.sys

2009-02-17 02:34 1053696 5e633d3fcd9bd60f5b21456dbd6dd98b c:\windows\explorer.exe

2009-02-17 02:41 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 22:08 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]
2009-03-09 16:21 1883672 --a------ c:\program files\IsoBuster\tbIso1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}"= "c:\program files\IsoBuster\tbIso1.dll" [2009-03-09 1883672]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{266FCDCA-7BB3-4DA7-B3BF-F845DEA2EBD6}"= "c:\program files\IsoBuster\tbIso1.dll" [2009-03-09 1883672]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{266fcdca-7bb3-4da7-b3bf-f845dea2ebd6}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-07 342848]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 163840]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-02-17 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Screen Capturer.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Screen Capturer.lnk
backup=c:\windows\pss\Screen Capturer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-08-29 09:55 1966080 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-03-07 18:33 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 12:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-29 11:40 687560 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-07-01 09:01 1447168 c:\program files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
--a------ 2007-12-14 11:46 236040 c:\program files\GIGABYTE\GEST\run.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 07:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
--a------ 2007-12-10 15:55 323584 c:\windows\PixArt\i-Look110\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 03:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2009-02-06 18:51 3885408 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-01-03 22:26 13508608 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 163840 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-01-03 22:26 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
--a------ 2007-12-10 15:55 323584 c:\windows\PixArt\i-Look110\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 09:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2009-03-09 16:52 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-03-06 22:54 24095528 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-03-14 23:50 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2007-11-15 15:55 2850816 c:\program files\WinFast\WFDTV\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFastDTV]
--a------ 2007-11-16 16:13 90112 c:\program files\WinFast\WFDTV\DTVSchdl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-01-03 22:26 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-19 11:14 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost]
--a------ 2008-04-14 12:00 14336 c:\windows\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"GEST Service"=3 (0x3)
"NVSvc"=2 (0x2)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"AutoExNT"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ose"=3 (0x3)
"PnkBstrA"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"Autodesk Licensing Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"SQLWriter"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"PSI_SVC_2"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"nTuneService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\NVIDIA Corporation\\nTune\\nTuneCmd.exe"=
"c:\\Program Files\\Runtime Software\\GetDataBack for NTFS\\gdbnt.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\CF6048.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-09-18 54960]
R3 PAC207;i-Look 110;c:\windows\system32\drivers\PFC027.SYS [2009-03-07 618112]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2009-03-18 222456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-13 38496]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.sys [2009-03-08 9446]
S4 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [2009-03-07 5904]
S4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\GEST\GSvr.exe [2009-03-07 47624]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-03-07 603904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5477D33F-0944-58FD-221B-DE07A7698242}]
c:\windows\system32\blka.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2089-03-16 c:\windows\Tasks\User_Feed_Synchronization-{47953569-6DC6-4B87-844B-9789B1D80F93}.job
- c:\windows\system32\msfeedssync.exe [2009-02-17 02:49]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-Acrobat Assistant 8 - d:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
MSConfigStartUp-Adobe Acrobat Speed Launcher - d:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
MSConfigStartUp-BMISR - c:\program files\KYE\WebMate\BM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ti1kmzee.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 16:43:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1592454029-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1547161642-1592454029-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:2c,e8,2b,f7,b8,ea,d2,f5,42,01,91,cd,b7,03,85,1c,65,82,83,e2,0c,
17,15,0c,d7,9d,43,e0,b8,71,d7,e7,88,24,0c,1f,02,b1,4f,a2,ca,16,bf,23,95,c3,\
"rkeysecu"=hex:85,15,f2,a0,f4,54,cd,87,15,a8,ed,12,fb,a3,2e,f9

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2009-03-21 16:46:38 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2009-03-21 15:46:36

Pre-Run: 840,785,920 bytes free
Post-Run: 1,135,501,312 bytes free

464 --- E O F --- 2009-03-08 15:09:41
Razz

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

veljko-94, ovo je opet Sality virus, kao i prošli put.
Jasno ti je kakva je situacija.

U principu, imam ideju za još (samo) jedan pokušaj/postupak. Ako si raspoložen, reci.

offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Pa raspolozen sam Smile
To resenje da li je to opet formatiranje particije sa xp i ne otvaranja particije dok ne skeniram sa drwebcureit Razz

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nešto drugo imam na umu (formatiranje ide ako ovo ne upali).

Reci mi koliko particija imaš i koje su njihove slovne oznake.

offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Posle mog najnovijeg ispada kad sam hteo instalirati mac os x na pc (al mi nije uspelo Sad )formatirao se veliki deo harda..i sadasnje stanje posle spajanja particija je C(OKO 45GB skoro puna)D prazna formatirana(420gb evo sad izvlacim podatke sa nje na onaj hard iz prwog posta)Onda imam E(11gb 100% puna Very Happy)i imam G(oko 11gb)

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pa, recovery podataka i ovo neće ići zajedno.
Kada završiš (i ukloniš taj drugi HDD) javi, pa ćeš dobiti uputstvo.

offline
  • Veljko
  • Pridružio: 29 Jul 2008
  • Poruke: 615
  • Gde živiš: Zemun

Ok javljam ti se za 2-3h kad 'sredim komp'.Do tad cu valjda zavrsiti.
Evo ti slika za bolju predstavu o mojim particijama
Ps ovo system je u stwari externi hd


Dopuna: 22 Mar 2009 11:56

DR boro spreman sam da mastavimo io sto pre se oslobodimo ovog virusa Smile

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pročitaj sve što sledi, pre no što kreneš da radiš bilo šta.


Dobio si download link. Arhivu koju skineš treba raspakovati na root C diska (file launch.com mora biti na root-u).

Zatim raspakuj i avz4.zip koji se nalazio u arhivi sa početka.


Otvori folder u koji je raspakovan avz4.zip i dvoklikom pokreni program avz.com.


Klikni File > Custom scripts.

U prozor koji se otvori iskopiraj sve što se nalazi unutar Kod polja (pažljivo pri kopiranju, svaki znak je bitan):


var i:integer;

begin
  If Not FileExists('C:\launch.com') Then ExitAVZ;
  SearchRootkit(True, True);
  SetAVZGuardStatus(True);
  RefreshProcessList;
  For i:=0 To GetProcessCount-1 Do
    If Pos('\temp\', LowerCase(GetProcessName(i)))>0 Then TerminateProcess(GetProcessPID(i));
  DeleteFileMask ('%Tmp%', '*.exe', True);
  DeleteFile('C:\autorun.inf');
  DeleteFile('D:\autorun.inf');
  DeleteFile('E:\autorun.inf');
  DeleteFile('F:\autorun.inf');
  DeleteFile('G:\autorun.inf');
  BC_DisableSvc('asc3360pr');
  BC_DeleteSvc('asc3360pr');
  BC_LogFile('C:\BClog1.txt');
  BC_Execute;
  ExecuteRepair(10);
  ExecuteRepair(11);
  ExecuteRepair(17);
  ShowMessage('Klikni OK da pokreneš CureIt.');
  ExecuteFile('C:\launch.com', '', 1, 0, false);
  ShowMessage('Klikni OK za restartovanje.');
  BC_Activate;
  RebootWindows(True)
end.




Sada je potrebno da zatvoriš sve programe koje je moguće zatvoriti.
Nakon koraka koji sledi, nemoj da radiš bilo šta sa kompjuterom sem onoga što je ovde rečeno (znači: bez pokretanja programa, klikanja, pritiskivanja tastera...).

Kada u AVZ-ovom prozoru klikneš Run:

- nakon kratkotrajnog skeniranja će se pojaviti poruka:
Citat:Klikni OK da pokreneš CureIt.
Kada klikneš OK, startovaće se program DR.Web CureIt. Potrebno je da izvršiš skeniranje po ovom uputstvu:
Kada se pojavi uvodni prozor - klikni Start

Pojaviće se obaveštenje o započinjanju uvodnog skeniranja - klikni OK

Sačekaj nekoliko minuta da Dr.Web CureIt izvrši Express Scan; ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Klikni Options > Change settings F9; u prozoru koji će se otvoriti, dečekiraj opciju Heuristic Analysis a zatim klikni OK

U glavnom prozoru obeleži opciju Complete scan a zatim klikni i Dr.Web CureIt će započeti skeniranje

Ukoliko malware bude pronađen, klikom na taster Yes to All u prozoru koji se pojavi dozvoli programu da izvrši dezinfekciju

Kada skeniranje bude završeno, klikni Select all taster (ukoliko je dostupan), a zatim klikni Cure i,
u meniju koji se otvori, klikni Move incurable:


Po završetku procesa, klikni File > Save report list i sačuvaj log na Desktopu i zatvori program CureIt.



- Paralelno sa pokretanje CureIt-a, pojaviće se i još jedna poruka:
Citat:Klikni OK za restartovanje.

Nakon što je završeno skeniranje programom CureIt, potrebno je da klikneš OK, kako bi se kompjuter restartovao i proces nastavio.
Znači: Ok za pokretanje CureIt-a, zatim skeniranje pa opet OK za restartovanje.

Imaj na umu da će proces restartovanja potrajati nekoliko minuta (može se činiti kao da se ništa ne događa) - samo strpljivo sačekaj. Do restarta će sigurno doći.



Nakon ponovnog pokretanja Windows-a, iskopiraj sadržaj CureIt loga u temu.

Takođe, skini ComboFix sa sledeće adrese (onaj koji sada imaš obriši):

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Pokreni ga i postavi log koji dobiješ.

Ko je trenutno na forumu
 

Ukupno su 617 korisnika na forumu :: 5 registrovanih, 1 sakriven i 611 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: cikadeda, havoc995, Marko Marković, Mixelotti, wolverined4