Veci problem sa virusom???

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Win XP SP2, updejtovani security paketi bas danas.

Usled instaliranje nove verzije NOD32 4.0.437.0 dogodilo mi se da se da mi se instalacija preko stare verzije zakoplikovala i da sam danas ostavo bez AV zastite. U medju vremenu sam downlodovao neke programe i instalirao... Od jednom je Zone Alarm (PRO ver je u pitanju, skoro zadnja) poceo da mi iscake sa gomilu zaustavljenih .exe fajlova. Video sam da sam zeznu stvar. NOD32 nisam nikako mogao da pokrenem pa sam se bacio na Spyware S&D i ovo je nasao:


Tu sam nastavio posle reseta da mi dalje skenira i imunizirao fajlove. Kasnije sam uspeo da instaliram NOD32 i krenuo sam skeniranjem...
Nasao je ovo:


Problem zbog koga pisem jeste da na nekih 40-45% skeniranja u NOD32 pocinju da se desavaju cudne stvari... Jednostavno pocinju da nestaju slova, ikonice, kada podignem prozor nista ne vidim, u NOD-u sve nestane, ne vidim vise nista.
Takodje usled nekog od ovih brisanja vidim da sam izlogovan sa svih foruma (obrisani su kolacici), Opera mi se defingurisala (sto sam menjao i dodavao ikonice)... nadam se da su ovo sve posledice.


Evo i HiJack file od pre nekog vremena
mycity.rs/must-login.png

Ovo mi se nikada nije dogodilo i ni priblizno slican problem, bas pazim i sada ovako da me rasturi

Zamolio bi vas za pomoc.



Logfile of HijackThis v1.99.1
Scan saved at 2:17:42, on 9.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\DSLMON.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Small Programs, Tools, Utilities (no installed)\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.babylon.com/home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB0.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5BE7599C-E1D8-4645-B28F-592935A798FE} - (no file)
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB0.dll
O3 - Toolbar: myBabylon English Toolbar - {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - C:\Program Files\myBabylon_English\tbmyB0.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mindmaster] C:\Program Files\Tony Dosanjh\Mindmaster\MindMaster.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\DSLMON.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Translate this web page with Babylon - {f72841f0-4ef1-4df5-bce5-b3ac8acf5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {f72841f0-4ef1-4df5-bce5-b3ac8acf5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\system32\svchost.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ESET HTTP Server (ehttpsrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - %fystemroot%\system32\svchost.exe (file missing)
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Potdrav...



Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.



Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste. prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.

Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.

Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Napisano: 10 Jun 2009 13:16

Evo log fajla:


ComboFix 09-06-09.01 - DeCkY 10.06.2009 12:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.1023.554 [GMT 2:00]
Running from: d:\downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-08 22:47 . 2009-06-08 22:47 -------- d-----w- c:\program files\ESET
2009-06-08 22:47 . 2009-06-08 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-08 20:53 . 2004-08-04 11:00 28160 --s-a-r- c:\documents and settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\fmnupd32.exe
2009-06-08 20:48 . 2009-06-10 10:58 95436 ----a-w- c:\windows\system32\drivers\21e0797.sys
2009-06-08 20:45 . 2009-06-08 20:45 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-06-08 20:45 . 2009-06-08 20:45 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-06-08 20:45 . 2009-06-08 20:45 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-06-08 20:45 . 2009-06-08 20:45 -------- d-----w- c:\program files\Folder Lock 6
2009-06-08 20:39 . 2009-06-08 20:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcticLine
2009-06-08 20:32 . 2009-06-08 22:58 -------- d-----w- c:\windows\LastGood
2009-06-08 19:25 . 2009-06-08 19:25 1431040 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{B440D659-FECA-4BDD-A12B-5C9F05790FF3}\Icon0E6ED660.exe
2009-06-08 16:03 . 2008-06-24 16:28 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-06-08 16:03 . 2009-02-03 19:52 56320 ------w- c:\windows\system32\dllcache\secur32.dll
2009-06-08 16:03 . 2009-03-21 13:54 989184 ------w- c:\windows\system32\dllcache\kernel32.dll
2009-06-08 16:03 . 2008-12-05 06:41 144896 ------w- c:\windows\system32\dllcache\schannel.dll
2009-06-08 16:03 . 2008-06-12 13:47 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-06-08 16:03 . 2008-06-12 13:47 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-06-08 16:03 . 2008-06-12 13:47 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-06-08 16:03 . 2008-06-12 13:47 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-06-08 16:03 . 2008-06-12 13:47 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-06-08 16:03 . 2008-06-12 13:47 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-06-08 16:03 . 2008-07-03 13:16 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-06-08 16:02 . 2008-12-16 12:47 351232 ------w- c:\windows\system32\dllcache\winhttp.dll
2009-06-08 16:02 . 2009-03-06 14:00 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-08 16:02 . 2009-02-09 10:01 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-08 16:02 . 2009-02-06 09:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-06-08 16:02 . 2005-07-26 04:20 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-06-08 16:02 . 2009-02-09 10:01 728576 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-08 16:02 . 2009-02-09 10:01 617984 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-08 16:02 . 2009-02-09 10:01 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-08 16:02 . 2009-02-09 10:01 715264 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-08 16:02 . 2009-02-06 09:41 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-08 06:31 . 2009-06-08 06:31 -------- d-----w- c:\program files\Real Alternative
2009-06-08 06:31 . 2009-06-08 06:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Real
2009-06-08 06:14 . 2009-06-08 06:14 19308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-08 06:11 . 2009-06-08 14:40 -------- d-----w- c:\program files\Picasa2
2009-06-08 05:55 . 2009-06-08 05:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2009-06-06 22:56 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-06-06 22:56 . 2009-06-06 22:57 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-06 22:36 . 2009-06-06 22:36 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-06 21:56 . 2009-06-06 21:56 348160 ----a-w- c:\windows\MSVCR71.DLL
2009-06-06 21:56 . 2009-06-06 21:56 1060864 ----a-w- c:\windows\MFC71.DLL
2009-06-04 21:45 . 2009-06-04 21:45 -------- d-----w- c:\program files\Common Files\PCSuite
2009-06-04 21:45 . 2009-06-04 21:45 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-04 21:43 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-06-04 21:42 . 2009-06-04 21:42 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-04 21:42 . 2009-02-09 05:37 7808 ----a-w- c:\windows\system32\usbser_lowerfltj.sys
2009-06-04 21:42 . 2009-02-09 05:37 7808 ----a-w- c:\windows\system32\usbser_lowerflt.sys
2009-06-04 21:42 . 2009-02-09 05:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-04 21:42 . 2009-02-09 05:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-04 21:42 . 2009-02-09 05:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-04 21:42 . 2009-02-09 05:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-04 21:41 . 2009-06-04 21:40 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-06-04 21:41 . 2009-06-04 21:41 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-04 21:41 . 2009-06-04 21:41 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-04 21:41 . 2009-06-04 21:41 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-04 15:03 . 2009-06-04 15:03 -------- d-----w- c:\program files\MagicLogic
2009-06-04 10:05 . 2009-06-05 12:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Braid
2009-06-04 10:04 . 2008-10-30 09:57 3851784 ----a-w- c:\windows\system\d3dx9_39.dll
2009-06-04 00:19 . 2009-06-04 00:23 -------- d-----w- c:\program files\Triogical2
2009-06-02 15:27 . 2009-06-03 13:27 25 ----a-w- c:\windows\popcinfot.dat
2009-06-01 16:26 . 2009-06-01 16:26 -------- d-----w- c:\program files\Audacity
2009-06-01 16:25 . 2009-06-01 16:25 2228534 ----a-w- c:\documents and settings\Administrator\Application Data\OpenCandy\audacity-win-1.2.6.exe
2009-06-01 16:25 . 2009-06-01 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenCandy
2009-06-01 16:25 . 2009-06-01 16:25 -------- d-----w- c:\program files\MediaInfo
2009-05-20 19:53 . 2009-05-20 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-20 19:37 . 2009-05-20 19:37 -------- d-----w- c:\program files\7-Zip
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 00:19 . 2009-05-14 00:20 -------- d-----w- c:\program files\WinISD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 10:54 . 2008-08-30 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-06-10 10:53 . 2008-04-30 21:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-10 09:53 . 2009-02-02 18:17 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-10 09:53 . 2009-02-02 18:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-10 01:39 . 2009-06-10 09:53 6298624 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-10 01:39 . 2009-06-10 09:53 77312 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-06-09 19:18 . 2009-06-09 19:19 6298112 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-06-09 19:18 . 2009-06-09 19:19 50688 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-06-09 16:25 . 2009-06-09 16:26 6297600 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-06-09 16:25 . 2009-06-09 16:26 59904 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-06-09 13:41 . 2009-06-09 13:43 90112 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-06-09 13:41 . 2009-06-09 13:43 6297088 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-06-09 10:44 . 2008-05-18 15:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-09 01:32 . 2009-06-09 10:00 6295040 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-09 01:32 . 2009-06-09 10:00 93696 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-06-08 23:25 . 2009-06-08 23:27 6291456 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-06-08 23:25 . 2009-06-08 23:27 209408 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-08 22:58 . 2008-08-30 12:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Babylon
2009-06-08 22:41 . 2004-08-04 11:00 110592 ----a-w- c:\windows\system32\services.exe
2009-06-08 21:28 . 2009-06-08 21:30 76800 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-08 20:58 . 2009-03-21 02:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-08 20:50 . 2009-06-08 20:52 6289408 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-08 20:50 . 2009-06-08 20:52 140288 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-08 20:23 . 2009-03-07 17:48 -------- d-----w- c:\program files\Total Video Converter
2009-06-08 20:23 . 2008-05-02 08:36 -------- d-----w- c:\program files\FlashGet
2009-06-08 19:26 . 2008-05-13 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-08 08:10 . 2008-04-30 17:21 18824 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 06:08 . 2008-04-30 18:06 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-06-08 06:07 . 2008-04-30 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-06-08 06:07 . 2009-01-09 21:38 -------- d-----w- c:\program files\Google
2009-06-08 05:50 . 2008-04-30 16:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 23:57 . 2009-01-01 23:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-07 17:44 . 2008-05-06 11:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-06-06 21:56 . 2007-01-17 12:47 40960 ----a-w- c:\windows\SimTestDll.dll
2009-06-04 21:42 . 2008-04-30 19:47 -------- d-----w- c:\program files\Nokia
2009-06-04 21:41 . 2008-04-30 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-05-31 23:01 . 2008-08-03 09:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-05-19 06:34 . 2009-01-01 23:30 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-14 13:49 . 2007-12-21 06:21 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:41 . 2007-12-21 06:19 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-05 10:59 . 2009-01-24 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 23:50 . 2009-01-01 23:32 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-04 23:50 . 2009-05-04 23:50 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-04 13:33 . 2009-05-04 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Synetic
2009-05-03 15:12 . 2008-09-01 13:33 -------- d-----w- c:\program files\UltraISO
2009-05-03 15:12 . 2008-09-01 13:34 -------- d-----w- c:\program files\Common Files\EZB Systems
2009-04-27 12:21 . 2009-05-04 23:50 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-04-18 20:04 . 2009-02-09 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MindMapper 2008
2009-04-16 00:01 . 2009-02-23 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-04-02 10:21 . 2008-06-29 22:14 12144782 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_BCAF39779F22DE3F0F4274.exe
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_72944B81904FA5A9DC4E15.exe
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_5B95F73493E3D4CF1B579E.exe
.

------- Sigcheck -------

[-] 2008-04-07 18:33 577536 7A540726CA75E1E988D56AB69925BA79 c:\windows\system32\user32.dll

[-] 2008-04-07 18:34 776192 4DF249A77F56F6B759340101FDB94654 c:\windows\system32\wininet.dll

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2009-02-18 00:02 360960 C86970F63DAFFB97D8221A0136DF3224 c:\windows\system32\dllcache\tcpip.sys
[-] 2009-02-18 00:22 360960 C86970F63DAFFB97D8221A0136DF3224 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-07 18:34 551424 D11C23CEA166B74FB63F89249BE9C266 c:\windows\system32\winlogon.exe

[-] 2008-04-07 18:30 1588736 16A2E225871FE74735F51AFE2C9164A9 c:\windows\explorer.exe

[-] 2008-04-07 18:30 40448 E00DFA816FA5521EB44C5D63109DE2A9 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2008-11-23 22:03 1784856 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\lclock.exe" [2004-09-19 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-07 40448]
"Mindmaster"="c:\program files\Tony Dosanjh\Mindmaster\MindMaster.exe" [2009-02-06 4952064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-06-08 4025744]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\DSLMON.exe [2008-4-30 929889]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MaxRecentDocs"= 15 (0xf)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe"
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 8:21 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9.9.2008 14:49 693512]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2.1.2009 1:32 604416]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [8.6.2009 22:45 10752]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11.2.2009 0:19 598856]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20.12.2007 17:13 1553896]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9.9.2008 14:49 906504]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [4.8.2004 13:00 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2009-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1214440339-682003330-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-19 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{f72841f0-4ef1-4df5-bce5-b3ac8acf5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k63621ll.default\
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-10 12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\sys_drv.dat 7028 bytes
c:\windows\system32\sys_drv_2.dat 6024 bytes
c:\documents and settings\Administrator\Application Data\systemfl.$dk 990 bytes

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\21e0797]
"ImagePath"="\SystemRoot\System32\drivers\21e0797.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-299502267-1214440339-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,c2,48,53,a7,fa,a0,07,76,fd,2e,31,12,85,f8,70,ab,44,8b,20,4c,46,45,
f4,61,f4,09,45,7b,6b,98,ca,a0,fc,26,57,11,06,95,7a,01,bb,a3,23,20,81,3b,fa,\
"??"=hex:2f,87,fa,5f,63,6c,01,64,41,4b,3c,6e,3a,5f,4a,aa

[HKEY_USERS\s-1-5-21-299502267-1214440339-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:a7,21,5d,f0,31,f9,8e,af,5f,d7,60,8d,b1,42,57,5d,fe,f0,b2,99,a7,
f0,23,be,7b,e1,9a,e9,4d,b8,7e,d2,2c,e6,81,83,9f,f8,45,76,0d,66,9a,96,0b,56,\
"rkeysecu"=hex:a2,76,94,96,eb,8d,b4,4b,cf,1c,9c,15,2c,13,cd,80

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):69,fb,fa,46,58,ee,62,2e,a7,c3,75,6f,a2,9a,04,0d,06,06,01,1a,ad,
f4,4a,7c,9d,10,0c,69,83,e2,8e,f5,f4,e9,f4,b2,d4,e2,1a,da,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eb031e90-34ea-482e-ac25-7218dd54f157}]
@Denied: (Full) (Everyone)
"Model"=dword:0000015f
"Therad"=dword:00000015
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\COMRes.dll
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\credui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\LClock\LC.dll
.
Completion time: 2009-06-10 13:00
ComboFix-quarantined-files.txt 2009-06-10 11:00
ComboFix2.txt 2009-06-10 10:40

Pre-Run: 33.846.722.560 bytes free
Post-Run: 33.835.855.872 bytes free

332 --- E O F --- 2009-06-08 19:16



Evo i fotke sa moba kako izgleda kada pocne da ludi Windows.





Dopuna: 10 Jun 2009 13:18

Inace uradio sam 2 log file a ovo je drugi. Prvi sam zeznuo nesto pa sam morao ponovo. Valjda nije uradjena nikakva promena...

Dopuna: 10 Jun 2009 13:22

Ovo je prvi fajl, okacio sam ga ovako. Vidim da je pri prvom skeniranju nesto i brisao.
mycity.rs/must-login.png

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Upload-uj sledeće file-ove:

c:\windows\system32\winlogon.exe
c:\windows\system32\ctfmon.exe

preko ovog linka: http://www.mycity.rs/ambulanta-upload.php

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uplodovao sam oba.
Boro, da ti nampomenem da mi je veceras iskocio neki prozor nakon resetovanja da ce se windows ugasiti tj resetovati i spominjao je services.exe nisam stigao da procitam jer sam probao da SS-tujem a sistem je bio prilicno usporen tako da mi se program (SnagIt) nije ni ucitao dok se prozor nije ugasio. WIn se nije resetovao mada je ceo sistem prilicno sporo radio. Nisam mogao da se konektujem na net itd. Otisao sam u safe mod i pustio NOD32 da skenirao. Posto je to radio iz DOS prozora nisam ni obracao paznju sta se desavalo.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\system32\drivers\21e0797.sys

FileLook::
c:\documents and settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\fmnupd32.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{B440D659-FECA-4BDD-A12B-5C9F05790FF3}\Icon0E6ED660.exe

Driver::
21e0797

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eb031e90-34ea-482e-ac25-7218dd54f157}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Nije mi uspelo iz prve. Prvo je krenuo da se ucitava onaj zeleni progress bar, mora sam da ga 'ubijem' zatim sam ponovo pokrenuo i napisao mi je "not enough quota is available to process this command", poceo da se blesira, resetovao i onda mi je uspelo.

Evo sto je izbacio:

ComboFix 09-06-09.01 - DeCkY 10.06.2009 23:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.1023.589 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\drivers\21e0797.sys"
.

((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-08 22:47 . 2009-06-08 22:47 -------- d-----w- c:\program files\ESET
2009-06-08 22:47 . 2009-06-08 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-08 20:53 . 2004-08-04 11:00 28160 --s-a-r- c:\documents and settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\fmnupd32.exe
2009-06-08 20:45 . 2009-06-08 20:45 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-06-08 20:45 . 2009-06-08 20:45 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-06-08 20:45 . 2009-06-08 20:45 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-06-08 20:45 . 2009-06-08 20:45 -------- d-----w- c:\program files\Folder Lock 6
2009-06-08 20:39 . 2009-06-08 20:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\ArcticLine
2009-06-08 19:25 . 2009-06-08 19:25 1431040 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{B440D659-FECA-4BDD-A12B-5C9F05790FF3}\Icon0E6ED660.exe
2009-06-08 16:03 . 2008-06-24 16:28 74240 ------w- c:\windows\system32\dllcache\mscms.dll
2009-06-08 16:03 . 2009-02-03 19:52 56320 ------w- c:\windows\system32\dllcache\secur32.dll
2009-06-08 16:03 . 2009-03-21 13:54 989184 ------w- c:\windows\system32\dllcache\kernel32.dll
2009-06-08 16:03 . 2008-12-05 06:41 144896 ------w- c:\windows\system32\dllcache\schannel.dll
2009-06-08 16:03 . 2008-06-12 13:47 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll
2009-06-08 16:03 . 2008-06-12 13:47 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll
2009-06-08 16:03 . 2008-06-12 13:47 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll
2009-06-08 16:03 . 2008-06-12 13:47 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll
2009-06-08 16:03 . 2008-06-12 13:47 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll
2009-06-08 16:03 . 2008-06-12 13:47 428032 ------w- c:\windows\system32\dllcache\msdtcprx.dll
2009-06-08 16:03 . 2008-07-03 13:16 8454656 ------w- c:\windows\system32\dllcache\shell32.dll
2009-06-08 16:02 . 2008-12-16 12:47 351232 ------w- c:\windows\system32\dllcache\winhttp.dll
2009-06-08 16:02 . 2009-03-06 14:00 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-08 16:02 . 2009-02-09 10:01 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-08 16:02 . 2009-02-06 09:54 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-06-08 16:02 . 2005-07-26 04:20 60416 ------w- c:\windows\system32\dllcache\colbact.dll
2009-06-08 16:02 . 2009-02-09 10:01 728576 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-08 16:02 . 2009-02-09 10:01 617984 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-08 16:02 . 2009-02-09 10:01 473088 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-08 16:02 . 2009-02-09 10:01 715264 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-08 16:02 . 2009-02-06 09:41 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-08 06:31 . 2009-06-08 06:31 -------- d-----w- c:\program files\Real Alternative
2009-06-08 06:31 . 2009-06-08 06:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Real
2009-06-08 06:14 . 2009-06-08 06:14 19308 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-08 06:11 . 2009-06-08 14:40 -------- d-----w- c:\program files\Picasa2
2009-06-08 05:55 . 2009-06-08 05:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\DMCache
2009-06-06 22:56 . 2008-09-16 19:23 168448 ----a-w- c:\windows\system32\unrar.dll
2009-06-06 22:56 . 2009-06-06 22:57 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-06 22:36 . 2009-06-06 22:36 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-06-06 21:56 . 2009-06-06 21:56 348160 ----a-w- c:\windows\MSVCR71.DLL
2009-06-06 21:56 . 2009-06-06 21:56 1060864 ----a-w- c:\windows\MFC71.DLL
2009-06-04 21:45 . 2009-06-04 21:45 -------- d-----w- c:\program files\Common Files\PCSuite
2009-06-04 21:45 . 2009-06-04 21:45 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-04 21:43 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-06-04 21:42 . 2009-06-04 21:42 -------- d-----w- c:\program files\PC Connectivity Solution
2009-06-04 21:42 . 2009-02-09 05:37 7808 ----a-w- c:\windows\system32\usbser_lowerfltj.sys
2009-06-04 21:42 . 2009-02-09 05:37 7808 ----a-w- c:\windows\system32\usbser_lowerflt.sys
2009-06-04 21:42 . 2009-02-09 05:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-04 21:42 . 2009-02-09 05:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-04 21:42 . 2009-02-09 05:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-04 21:42 . 2009-02-09 05:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-04 21:41 . 2009-06-04 21:40 34396584 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-06-04 21:41 . 2009-06-04 21:41 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-04 21:41 . 2009-06-04 21:41 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-04 21:41 . 2009-06-04 21:41 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-04 15:03 . 2009-06-04 15:03 -------- d-----w- c:\program files\MagicLogic
2009-06-04 10:05 . 2009-06-05 12:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Braid
2009-06-04 10:04 . 2008-10-30 09:57 3851784 ----a-w- c:\windows\system\d3dx9_39.dll
2009-06-04 00:19 . 2009-06-04 00:23 -------- d-----w- c:\program files\Triogical2
2009-06-02 15:27 . 2009-06-03 13:27 25 ----a-w- c:\windows\popcinfot.dat
2009-06-01 16:26 . 2009-06-01 16:26 -------- d-----w- c:\program files\Audacity
2009-06-01 16:25 . 2009-06-01 16:25 2228534 ----a-w- c:\documents and settings\Administrator\Application Data\OpenCandy\audacity-win-1.2.6.exe
2009-06-01 16:25 . 2009-06-01 16:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenCandy
2009-06-01 16:25 . 2009-06-01 16:25 -------- d-----w- c:\program files\MediaInfo
2009-05-20 19:53 . 2009-05-20 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-20 19:37 . 2009-05-20 19:37 -------- d-----w- c:\program files\7-Zip
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 00:19 . 2009-05-14 00:20 -------- d-----w- c:\program files\WinISD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 21:48 . 2008-08-30 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-06-10 21:47 . 2009-02-02 18:17 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-06-10 21:47 . 2009-02-02 18:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-06-10 20:23 . 2008-05-18 15:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-10 18:41 . 2009-06-10 18:42 6330368 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-06-10 18:41 . 2009-06-10 18:42 378880 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-06-10 11:02 . 2008-04-30 21:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-10 01:39 . 2009-06-10 09:53 6298624 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-10 01:39 . 2009-06-10 09:53 77312 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-06-09 19:18 . 2009-06-09 19:19 6298112 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-06-09 19:18 . 2009-06-09 19:19 50688 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-06-09 16:25 . 2009-06-09 16:26 6297600 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-06-09 16:25 . 2009-06-09 16:26 59904 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-06-09 13:41 . 2009-06-09 13:43 90112 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-06-09 13:41 . 2009-06-09 13:43 6297088 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-06-09 01:32 . 2009-06-09 10:00 6295040 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-09 01:32 . 2009-06-09 10:00 93696 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-06-08 23:25 . 2009-06-08 23:27 6291456 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-06-08 23:25 . 2009-06-08 23:27 209408 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-06-08 22:58 . 2008-08-30 12:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Babylon
2009-06-08 22:41 . 2004-08-04 11:00 110592 ----a-w- c:\windows\system32\services.exe
2009-06-08 21:28 . 2009-06-08 21:30 76800 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-06-08 20:58 . 2009-03-21 02:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-08 20:50 . 2009-06-08 20:52 6289408 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-06-08 20:50 . 2009-06-08 20:52 140288 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-08 20:23 . 2009-03-07 17:48 -------- d-----w- c:\program files\Total Video Converter
2009-06-08 20:23 . 2008-05-02 08:36 -------- d-----w- c:\program files\FlashGet
2009-06-08 19:26 . 2008-05-13 15:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-08 08:10 . 2008-04-30 17:21 18824 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 06:08 . 2008-04-30 18:06 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-06-08 06:07 . 2008-04-30 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-06-08 06:07 . 2009-01-09 21:38 -------- d-----w- c:\program files\Google
2009-06-08 05:50 . 2008-04-30 16:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-07 23:57 . 2009-01-01 23:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-06-07 17:44 . 2008-05-06 11:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-06-06 21:56 . 2007-01-17 12:47 40960 ----a-w- c:\windows\SimTestDll.dll
2009-06-04 21:42 . 2008-04-30 19:47 -------- d-----w- c:\program files\Nokia
2009-06-04 21:41 . 2008-04-30 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-05-31 23:01 . 2008-08-03 09:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-05-19 06:34 . 2009-01-01 23:30 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-14 13:49 . 2007-12-21 06:21 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:41 . 2007-12-21 06:19 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-05 10:59 . 2009-01-24 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 23:50 . 2009-01-01 23:32 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-04 23:50 . 2009-05-04 23:50 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-05-04 13:33 . 2009-05-04 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Synetic
2009-05-03 15:12 . 2008-09-01 13:33 -------- d-----w- c:\program files\UltraISO
2009-05-03 15:12 . 2008-09-01 13:34 -------- d-----w- c:\program files\Common Files\EZB Systems
2009-04-27 12:21 . 2009-05-04 23:50 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-04-18 20:04 . 2009-02-09 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\MindMapper 2008
2009-04-16 00:01 . 2009-02-23 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-04-02 10:21 . 2008-06-29 22:14 12144782 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_BCAF39779F22DE3F0F4274.exe
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_72944B81904FA5A9DC4E15.exe
2009-03-25 21:46 . 2009-03-25 21:46 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{895B66E8-EB02-454C-9342-11D5A5A251D5}\_5B95F73493E3D4CF1B579E.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{B440D659-FECA-4BDD-A12B-5C9F05790FF3}\Icon0E6ED660.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 1431040
Created time: 2009-06-08 19:25
Modified time: 2009-06-08 19:25
MD5: 3745419BCB39E63C0CD5009E03BD76EE
SHA1: 4A2199456EDBCD8DF946E1C6C322DD27FA4B367C


--- c:\documents and settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\fmnupd32.exe ---
Company: Qbfusej Volhehevkex
File Description: Zbumajyhec yhydj
File Version: 40.83.2525
Product Name: Zbumajyhec yhydj
Copyright: Ran urjgxayd jogq Fjkynap.
Original Filename: deroxab.exe
File size: 28160
Created time: 2009-06-08 20:53
Modified time: 2004-08-04 11:00
MD5: 76AB34CECA6549B2B2F527B8A7AB3EAA
SHA1: 5914B47ADB57BBB7766B852D6675203AB08FD5E6


------- Sigcheck -------

[-] 2008-04-07 18:33 577536 7A540726CA75E1E988D56AB69925BA79 c:\windows\system32\user32.dll

[-] 2008-04-07 18:34 776192 4DF249A77F56F6B759340101FDB94654 c:\windows\system32\wininet.dll

[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2009-02-18 00:02 360960 C86970F63DAFFB97D8221A0136DF3224 c:\windows\system32\dllcache\tcpip.sys
[-] 2009-02-18 00:22 360960 C86970F63DAFFB97D8221A0136DF3224 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-07 18:34 551424 D11C23CEA166B74FB63F89249BE9C266 c:\windows\system32\winlogon.exe

[-] 2008-04-07 18:30 1588736 16A2E225871FE74735F51AFE2C9164A9 c:\windows\explorer.exe

[-] 2008-04-07 18:30 40448 E00DFA816FA5521EB44C5D63109DE2A9 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.38.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 21:47 . 2009-06-10 21:47 16384 c:\windows\Temp\Perflib_Perfdata_9bc.dat
+ 2009-06-10 21:47 . 2009-06-10 21:47 16384 c:\windows\Temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2008-11-23 22:03 1784856 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\lclock.exe" [2004-09-19 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-07 40448]
"Mindmaster"="c:\program files\Tony Dosanjh\Mindmaster\MindMaster.exe" [2009-02-06 4952064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2009-06-08 4025744]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\ASUS USB ADSL Modem\ASUS USB ADSL Modem\DSLMON.exe [2008-4-30 929889]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MaxRecentDocs"= 15 (0xf)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe"
"nwiz"=nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\FlashGet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 8:21 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [9.9.2008 14:49 693512]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2.1.2009 1:32 604416]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [8.6.2009 22:45 10752]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11.2.2009 0:19 598856]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20.12.2007 17:13 1553896]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [9.9.2008 14:49 906504]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [4.8.2004 13:00 5120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1214440339-682003330-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-19 16:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\k63621ll.default\
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-10 23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\sys_drv.dat 7028 bytes
c:\windows\system32\sys_drv_2.dat 6024 bytes
c:\documents and settings\Administrator\Application Data\systemfl.$dk 990 bytes

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-1214440339-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,c2,48,53,a7,fa,a0,07,76,fd,2e,31,12,85,f8,70,ab,44,8b,20,4c,46,45,
f4,61,f4,09,45,7b,6b,98,ca,a0,fc,26,57,11,06,95,7a,01,bb,a3,23,20,81,3b,fa,\
"??"=hex:2f,87,fa,5f,63,6c,01,64,41,4b,3c,6e,3a,5f,4a,aa

[HKEY_USERS\S-1-5-21-299502267-1214440339-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:a7,21,5d,f0,31,f9,8e,af,5f,d7,60,8d,b1,42,57,5d,fe,f0,b2,99,a7,
f0,23,be,7b,e1,9a,e9,4d,b8,7e,d2,2c,e6,81,83,9f,f8,45,76,0d,66,9a,96,0b,56,\
"rkeysecu"=hex:a2,76,94,96,eb,8d,b4,4b,cf,1c,9c,15,2c,13,cd,80
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568-)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\COMRes.dll
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\credui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\LClock\LC.dll
c:\program files\Unlocker\UnlockerCOM.dll
c:\program files\Norton Ghost\Browser\VProShellExt.dll
c:\program files\WinRar\rarext.dll
c:\progra~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
c:\program files\TuneUp Utilities 2009\SDShelEx-win32.dll
c:\program files\TechSmith\Snagit 9\SnagitShellExt.dll
c:\program files\TechSmith\Snagit 9\SnagItShellExtRes.dll
c:\program files\Folder Lock 6\FLContextMenu.dll
c:\program files\ESET\ESET NOD32 Antivirus\shellExt.dll
c:\windows\system32\CmdLineExt.dll
c:\windows\system32\comdlg32.dll
c:\progra~1\MICROS~1\OFFICE11\MCPS.DLL
.
Completion time: 2009-06-10 23:55
ComboFix-quarantined-files.txt 2009-06-10 21:55
ComboFix2.txt 2009-06-10 11:00
ComboFix3.txt 2009-06-10 10:40

Pre-Run: 32.534.925.312 bytes free
Post-Run: 32.524.365.824 bytes free

369 --- E O F --- 2009-06-08 19:16

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ovaj file je za brisanje: c:\documents and settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\fmnupd32.exe


Sem toga, ovo izgleda čisto. Problemi koje pominješ su verovatno vezani za taj vizuelni stil koji koristiš (a fali ti i SP3, eventualno i reinstalacija driver-a za grafičku, ako ostalo ne pomogne).

Sem u slučaju da AV sada nešto detektuje, uradi sledeće:

klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.


Za dodatne savete otvori temu u Windows forumu.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Napisano: 11 Jun 2009 17:00

Obrisao sam to. Probao sam da skeniram ponovo iz normalnog moda (ne safe) i ne mogu jer mi prekinem to gubljenje sa grafikom.
Znaci nadjem service pack 3 i instaliram. Takodje cu naci i drajvere za graficku mada je moja vec matora 6600 pa ne verujem da ima bilo sta novo za nju.


Inace iz starta sam bio iskljucio NVIDIA Nview-assistent sada sam ukljucio mada ne verujem da sam ove problema ima zbog toga posto to je za konfigurisanje izgleda. Otvoricu temu tamo pa cu pitati.


Treba mi samo jos jedan savet. Posto koristim NOD32 AV 4, ZoneAlram Pro i Spyware S&D. Nisam nista dirao kako je po defaultu instalirano. S&D ukljucim samo s vremena na vreme da skeniram a posao u pozadini rade NOD32 i ZA. Da li bi treba nesto da iskofingurisem u njima da bi mi zastita bila u potpunosti?

Dopuna: 11 Jun 2009 17:20

Da dodam da su mi ljudi javili da sam im slao neke e-mailove. Verovatno je jedan od ovih virusa to uradio.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Rocky I ::Treba mi samo jos jedan savet. Posto koristim NOD32 AV 4, ZoneAlram Pro i Spyware S&D. Nisam nista dirao kako je po defaultu instalirano. S&D ukljucim samo s vremena na vreme da skeniram a posao u pozadini rade NOD32 i ZA. Da li bi treba nesto da iskofingurisem u njima da bi mi zastita bila u potpunosti?

Mislim da nema potrebe za nekim posebnim podešavanjima.