Pozdrav Lorka! Za pocetak skini program HijackThis.

Kada ga preuzmes preimenuj fajl u bilo sta npr. blabla.exe. Pokreni ga i klikni na "Do a system scan and save a logfile". Taj log fajl iskopiraj ovde da vidimo.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:52:51 AM, on 4/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\userinit.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\vsnpstd.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Xfire\Xfire.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
D:\Program Files\AutoCAD 2008\acad.exe
D:\DOCUME~1\dP\LOCALS~1\Temp\AdskCleanup.0001
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Microsoft Office\Office12\EXCEL.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0a38dae5-1c02-4be9-a7e5-dd92df246731} - D:\WINDOWS\system32\gotahati.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - D:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Six Engine] "D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [8cdf281d] rundll32.exe "D:\WINDOWS\system32\koroyogo.dll",b
O4 - HKLM\..\Run: [CPMe77be6e5] Rundll32.exe "d:\windows\system32\kipilopa.dll",a
O4 - HKLM\..\Run: [niwutifoke] Rundll32.exe "D:\WINDOWS\system32\lanimaye.dll",s
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Software Informer] "D:\Program Files\Software Informer\softinfo.exe" -autorun
O4 - HKCU\..\Run: [Comrade.exe] D:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "D:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: Adobe Media Player.lnk = D:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\WINDOWS\system32\kirenalo.dll d:\windows\system32\kipilopa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\kipilopa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\kipilopa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95ca59863e4d4) (gupdate1c95ca59863e4d4) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8417 bytes

Uh, imao ovde bas svasta...Ima i prisustvo Rouge antivirusa...Da pocnemo...Uradi ponovo Scan sa HijackThis-om i stiklraj sledece redove:

O2 - BHO: (no name) - {0a38dae5-1c02-4be9-a7e5-dd92df246731} - D:\WINDOWS\system32\gotahati.dll (file missing)
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O4 - HKLM\..\Run: [8cdf281d] rundll32.exe "D:\WINDOWS\system32\koroyogo.dll",b
O4 - HKLM\..\Run: [CPMe77be6e5] Rundll32.exe "d:\windows\system32\kipilopa.dll",a
O4 - HKLM\..\Run: [niwutifoke] Rundll32.exe "D:\WINDOWS\system32\lanimaye.dll",s
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "D:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O20 - AppInit_DLLs: D:\WINDOWS\system32\kirenalo.dll d:\windows\system32\kipilopa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\kipilopa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\kipilopa.dll

Pritisni Fix Checked i restartuj racunar.

*********************

Posle ovoga, idemo na ovaj program:

• Preuzmite SmitFraudfix na Desktop
• Restartujte racunar u Safe Mode
• Pokrenite program SmitFraudfix duplim klikom na ikonicu
• Pokrece se ekran Credits (pritisnite bilo koje dugme da nastavite)
• Sada se otvara izbor gde cete pritisnuti 2 (to ce oznaciti da proces ciscenja pocinje)
• Program ce poceti da cisti racunar kroz nekolio faza i kada zavrsi pokrenuce se Disk Cleanup program (da ocisti Temp, Temporary Internet Files...)
• Kad se ovaj proces zavrsi pojavice se ekran gde cete biti upitani: Do you want to clean the registry ? (y/n) - tu pritisnite Y pa Enter
• Kada se ovi procesi zavrse pojavice se crveni ekran sa porukom Computer will reboot now. Close all applications i pritisnute spacebar (razmaklicu na tastaturi) da potvrdite
• Racunar ce se tada restartovati u normalan rezim rada i automatski ce se pojaviti Notepad sa izvestajem. Sacuvaj njega i iskopiraj ga ovde.

Na ovoj lokaciji mozes videti kako radi ovaj program.

*********************

Idemo dalje:

• Preuzmi i instaliraj program Malwarebytes` Anti-Malware
• Pokreni ga i izvrsi update (Update > Check for Updates) i po zavrsetku potvrdi sa OK
• Posle update-a odaberi Scanner, oznaci Perform full scan i pritisni Scan
• Kada se zavrsi skeniranje videces spisak pronadjenih "stetocina" u levom prozoru (ako program nadje neke stetocine)
• Proveri da li su svi pronadjeni fajlovi stiklirani i pritisni Remove Selected i potvrdi sa OK
• Program ce te upitati da restartujes racunar i ti to potvrdi
• Takodje posle ukljanjanje malware-a sa racunara dobices log fajl (izvestaj) koji ces iskopirati ovde


*********************

Kad sve ovo uradis treba da javis kakvo je novo stanje i da postavis:

• Novi HijackThis log
• Izvestaj od SmitFraudfix-a
• Izvestaj od Malwarebytes` Antimalware-a

Doticni trojanac najcesce dolazi u paketu sa ovim:

O4 - HKCU\..\Run: [MS AntiSpyware 2009] "D:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun

Pa ti je moj savet, kada se resis ove napasti, da vise NE KLIKAS na razna "upozorenja" koja vidis po web sajtovima - nijedna web stranice ne moze da zna da ti imas viruse, emailove u tvom inboxu, probleme sa hard diskom ili registry bazom ili bilo sta drugo vezano za tvoj racunar (osim IP adrese i jos nekih drugih podataka), osim u slucaju da ti imas nesto instalirano sto im omogucava takav uvid. Cak i kod online AV skenera ti moras najpre da instaliras nesto na svom racunaru i da potvrdis da dozvoljavas instalaciju da bi on mogao da odradi posao.

A sto se tice uklanjanja, userinit.exe je proces bez kojeg niko ne moze da se uloguje na racunar, i ako ga na bilo koji nacin obrises ili onesposobis, prilikom logovanja Windows ce te odmah nakon par sekundi izlogovati. Tako da obrati paznju da prilikom ciscenja ovog trojanca na pravi nacin odradis zamenu zarazenog userinit.exe cistim. Ukoliko ti nijedan AV program ne pomogne ili ti napravi "medvedju uslugu" tako sto samo obrise userinit.exe a ne zameni ga ispravnim, moze najpre probati da ga popravis uz pomoc instalacionog diska za WinXP:

bootujes racunar sa instalacionog diska za XP
kada ti ponudi opcije za instalaciju/popravku pritisnes slovo R da pokrenes Recovery konzolu
odabares koju ces instalaciju Windowsa da popravljas tako sto uneses odgovarajuci broj (najcesce je to broj 1 jer korisnici obicno imaju instaliran samo jedan Windows na svojim racunarima)
i onda kucas copy X:\i386\userinit.ex_ c:\windows\system32, gde umesto X stavis slovo pod kojim ti je prijavljen CD/DVD uredjaj
i nakon toga restartujes racunar.

Ako ni ovo ne pomogne onda mozes probati sledecu metodu opisanu u drugoj temi:

Sa http://nu2.nu/pebuilder/ skines BartPE i kreiras bootabilni CD (za ovo ce ti trebati i instalacioni CD za XP). Zatim bootujes svoj racunar sa BartPE diska, kliknes na Run, otkucas regedit.exe, pa:
otvoris HKEY_USERS granu,
ucitas odgovarajuci reghive sa hard diska (uglavnom je to C:\Windows\System32\Config\Software),
das mu neko ime (npr. Novo),
otvoris HKEY_USERS\Novo\Microsoft\Windows NT\CurrentVersion\Winlogon,
ispravis ako je potrebno vrednost userinit da pokazuje pravilno na C:\Windows\System32\Userinit.exe,
sacuvas izmene (Unload Hive),
sa BartPe diska iz System32 foldera prekopiras svezu kopiju Userinit.exe na gorenavedenu putanju na hard disku,
i onda restartujes racunar.

<sub>[Ovu poruku je menjao valjan dana 04.04.2009. u 10:41 GMT+1]

[Ovu poruku je menjao valjan dana 04.04.2009. u 10:42 GMT+1]</sub>

Odradio sam sve korake koje ste mi preporučili,ali i dalje mi se pojavljuju upozorenja da imam sigurnosni problem i povremeno se otvori Internet
explorer sa stranicom sa koje mi kao Antispayware Remover 2009 ili Virus Remover 2009 skeniraju hard diskove.Izvještaji koje sam dobio nakon provedene procedure su sledeci

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E48C52C4-96A1-47FC-93ED-924F2DC9C28C}: DhcpNameServer=217.23.192.9 217.23.192.14
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E48C52C4-96A1-47FC-93ED-924F2DC9C28C}: DhcpNameServer=217.23.192.9 217.23.192.14
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E48C52C4-96A1-47FC-93ED-924F2DC9C28C}: DhcpNameServer=217.23.192.9 217.23.192.14
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=217.23.192.9 217.23.192.14
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=217.23.192.9 217.23.192.14
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=217.23.192.9 217.23.192.14


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"

[HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="d:\windows\system32\kipilopa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InProcServer32]
@="d:\windows\system32\kipilopa.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End


zatim

Malwarebytes' Anti-Malware 1.35
Database version: 1939
Windows 5.1.2600 Service Pack 2

4/4/2009 6:28:41 AM
mbam-log-2009-04-04 (06-28-41).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 286655
Time elapsed: 1 hour(s), 25 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\koroyogo.dll (Trojan.Vundo.H) -> Delete on reboot.
d:\WINDOWS\system32\kipilopa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a44b024a-ce32-4bda-0075-c799a4bff141} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpme77be6e5 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cdf281d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: d:\windows\system32\kipilopa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kipilopa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: d:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
d:\WINDOWS\system32\kipilopa.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\koroyogo.dll (Trojan.Vundo.H) -> Delete on reboot.
D:\WINDOWS\system32\6HfbdRv1.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.



i poslije završene procedure skenirao sam sistem sa Hijack This i dobio sledeci izvjestaj

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:46, on 4/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\userinit.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\vsnpstd.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Xfire\Xfire.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - D:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Six Engine] "D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Software Informer] "D:\Program Files\Software Informer\softinfo.exe" -autorun
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: Adobe Media Player.lnk = D:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95ca59863e4d4) (gupdate1c95ca59863e4d4) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7016 bytes

Posto ti se u izvestajima pojavljuje Vundo, mozda ne bi bilo lose da skines VundoFix i odradis njime skeniranje. Link i uputstvo za upotrebu mozes naci na:

http://vundofix.atribune.org/

Posto kazes da ti i dalje iskacu reklame, a Vundo je poznat upravo po tome, najverovatnije imas jos neki "rep" od njega.

VundoFix je odradio scan i nije našao ništa sumnjivo,a isto mi se pojavljuje

Preuzmi program RSIT i pokreni ga. Kada te upita u prvom prozoru odaberi kada ti se otprilike pojavio taj trojanac (poslednjih mesec, dva ili tri) i nastavi sa Continue. Na kraju skeniranja otvoritice se log.txt i njega iskopiraj ovde, da vidimo. Ako ga slucajno zatvoris taj file ce biti sacuvan kao C:\rsit\log.txt.

Logfile of random's system information tool 1.06 (written by random/random)
Run by dP at 2009-04-04 12:31:37
Microsoft Windows XP Professional Service Pack 2
System drive D: has 15 GB (15%) free of 100 GB
Total RAM: 2047 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:39, on 4/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\userinit.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\vsnpstd.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Xfire\Xfire.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
D:\Program Files\AutoCAD 2008\acad.exe
D:\DOCUME~1\dP\LOCALS~1\Temp\AdskCleanup.0001
D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\dP\Desktop\RSIT.exe
D:\Program Files\Trend Micro\HijackThis\dP.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - D:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Six Engine] "D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Software Informer] "D:\Program Files\Software Informer\softinfo.exe" -autorun
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - Startup: Adobe Media Player.lnk = D:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c95ca59863e4d4) (gupdate1c95ca59863e4d4) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7264 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\Google Software Updater.job
D:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-14 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-25 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - D:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-03-14 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-20 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2C688203-7EB3-4327-9995-1CB417BA23F9} - BS.Player ControlBar - D:\Program Files\BS.Player ControlBar\BSToolbar.dll [2008-10-08 859592]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-03-14 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"=D:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe [2008-06-25 5625344]
"PWRISOVM.EXE"=D:\Program Files\PowerISO\PWRISOVM.EXE [2008-11-02 167936]
"GrooveMonitor"=D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"WinampAgent"=D:\Program Files\Winamp\winampa.exe [2008-08-04 36352]
"snpstd"=D:\WINDOWS\vsnpstd.exe [2005-10-11 339968]
"RTHDCPL"=D:\WINDOWS\RTHDCPL.EXE [2008-12-26 18081280]
"Alcmtr"=D:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2009-03-20 148888]
"Logitech Utility"=D:\WINDOWS\Logi_MwX.Exe [2003-12-11 20992]
"egui"=D:\Program Files\ESET\ESET Smart Security\egui.exe [2009-02-06 2021400]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Software Informer"=D:\Program Files\Software Informer\softinfo.exe -autorun []
"fsm"= []
"swg"=D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-12-07 39408]
"Skype"=D:\Program Files\Skype\Phone\Skype.exe [2009-02-04 23975720]
"DAEMON Tools Pro Agent"=D:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2009-01-26 228808]
"Steam"=D:\Program Files\Steam\Steam.exe [2009-03-04 1410296]
"ares"=D:\Program Files\Ares\Ares.exe -h []
"MSMSGS"=D:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"Uniblue RegistryBooster 2009"=D:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []

D:\Documents and Settings\dP\Start Menu\Programs\Startup
Adobe Media Player.lnk - D:\Program Files\Adobe Media Player\Adobe Media Player.exe
OneNote 2007 Screen Clipper and Launcher.lnk - D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
Xfire.lnk - D:\Program Files\Xfire\Xfire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
D:\WINDOWS\system32\Ati2evxx.dll [2008-10-29 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\kirenalo.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"D:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="D:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"D:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="D:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\Program Files\Winamp Remote\bin\Orb.exe"="D:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"D:\Program Files\Winamp Remote\bin\OrbTray.exe"="D:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="D:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\Program Files\uTorrent\uTorrent.exe"="D:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"D:\WINDOWS\system32\PnkBstrA.exe"="D:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"D:\WINDOWS\system32\PnkBstrB.exe"="D:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe"="C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:*:Enabled:Unreal Tournament 3"
"D:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="D:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\Program Files\KONAMI\Pro Evolution Soccer 2009\pes2009.exe"="C:\Program Files\KONAMI\Pro Evolution Soccer 2009\pes2009.exe:*:Enabled:Pro Evolution Soccer 2009"
"D:\Program Files\Xfire\Xfire.exe"="D:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Program Files\Electronic Arts\Crytek\Crysis Wars\Bin32\Crysis.exe"="C:\Program Files\Electronic Arts\Crytek\Crysis Wars\Bin32\Crysis.exe:*:Enabled:Crysis"
"D:\Program Files\eMule\emule.exe"="D:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"D:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe"="D:\Program Files\Activision\Call of Duty - World at War\CoDWaW.exe:*:Enabled:Call of Duty(R) - World at War(TM) "
"D:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe"="D:\Program Files\Activision\Call of Duty - World at War\CoDWaWmp.exe:*:Enabled:Call of Duty(R) - World at War(TM) "
"D:\Program Files\Sports Interactive\Football Manager 2009\fm.exe"="D:\Program Files\Sports Interactive\Football Manager 2009\fm.exe:*:Enabled:Football Manager 2009"
"D:\Program Files\Dassault Systemes\B205\intel_a\code\bin\CNEXT.exe"="D:\Program Files\Dassault Systemes\B205\intel_a\code\bin\CNEXT.exe:*:Enabled:CATIA"
"D:\Program Files\Ares\Ares.exe"="D:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows"
"D:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\GRAW.exe"="D:\Program Files\Ubisoft\Ghost Recon Advanced Warfighter\GRAW.exe:*:Enabled:GRAW"
"C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CATUTIL.exe"="C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CATUTIL.exe:*:Enabled:V5 Batch Management"
"C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CATSysDemon.exe"="C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CATSysDemon.exe:*:Enabled:System"
"D:\WINDOWS\system32\dpvsetup.exe"="D:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"D:\WINDOWS\system32\rundll32.exe"="D:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"D:\Program Files\Java\jre6\bin\javaw.exe"="D:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CNEXT.exe"="C:\Program Files\Dassault Systemes\B18\intel_a\code\bin\CNEXT.exe:*:Enabled:CATIA"
"D:\WINDOWS\explorer.exe"="D:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"D:\WINDOWS\system32\winlogon.exe"="D:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"D:\Program Files\Skype\Phone\Skype.exe"="D:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}]
shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs


======File associations======

.scr - open - "D:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-04-04 12:31:37 ----D---- D:\rsit
2009-04-04 12:11:53 ----D---- D:\VundoFix Backups
2009-04-04 12:11:53 ----A---- D:\VundoFix.txt
2009-04-04 04:19:26 ----D---- D:\Documents and Settings\dP\Application Data\Malwarebytes
2009-04-04 04:19:21 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-04 04:19:20 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2009-04-04 03:48:06 ----A---- D:\WINDOWS\system32\tmp.txt
2009-04-04 03:48:01 ----A---- D:\rapport.txt
2009-04-04 03:47:39 ----A---- D:\WINDOWS\system32\o4Patch.exe
2009-04-04 03:47:39 ----A---- D:\WINDOWS\system32\IEDFix.C.exe
2009-04-04 03:47:39 ----A---- D:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-04-04 03:47:39 ----A---- D:\WINDOWS\system32\404Fix.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\WS2Fix.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\VCCLSID.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\VACFix.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\swxcacls.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\swsc.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\swreg.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\SrchSTS.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\Process.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\IEDFix.exe
2009-04-04 03:47:38 ----A---- D:\WINDOWS\system32\dumphive.exe
2009-04-04 03:43:28 ----D---- D:\WINDOWS\pss
2009-04-04 01:30:37 ----HDC---- D:\Documents and Settings\All Users\Application Data\~0
2009-04-03 18:01:14 ----D---- D:\Program Files\Trend Micro
2009-04-01 23:13:23 ----D---- D:\Documents and Settings\dP\Application Data\ESET
2009-04-01 23:12:40 ----D---- D:\Program Files\ESET
2009-04-01 23:08:01 ----SHD---- D:\Config.Msi
2009-04-01 18:18:35 ----SH---- D:\WINDOWS\system32\tajopava.exe
2009-04-01 18:18:35 ----AH---- D:\WINDOWS\system32\BIT7D0.tmp
2009-03-28 04:25:05 ----D---- D:\Program Files\Cambridge
2009-03-28 04:11:39 ----D---- D:\Documents and Settings\dP\Application Data\f2fPreIntermediate
2009-03-27 11:03:56 ----N---- D:\WINDOWS\system32\lmoufrc.dll
2009-03-27 11:03:56 ----N---- D:\WINDOWS\system32\LCOINST.DLL
2009-03-27 11:03:56 ----N---- D:\WINDOWS\LOGI_MWX.EXE
2009-03-27 11:03:56 ----D---- D:\Program Files\Logitech
2009-03-27 11:03:56 ----D---- D:\Program Files\Common Files\Logitech
2009-03-27 11:03:56 ----A---- D:\WINDOWS\system32\LMOUSE32.DLL
2009-03-27 11:03:56 ----A---- D:\WINDOWS\system32\LMOUSE16.DLL
2009-03-27 11:03:56 ----A---- D:\WINDOWS\system32\LGUICOM.DLL
2009-03-27 11:03:56 ----A---- D:\WINDOWS\system32\COMNCTR.DLL
2009-03-25 00:13:47 ----HDC---- D:\Documents and Settings\All Users\Application Data\{0AAA1129-1E09-47FC-B02B-648C164E1F6F}
2009-03-21 00:25:02 ----A---- D:\WINDOWS\system32\xfcodec.dll
2009-03-20 16:28:27 ----A---- D:\WINDOWS\system32\javaws.exe
2009-03-19 17:10:20 ----D---- D:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-19 17:08:48 ----D---- D:\Program Files\Common Files\Macrovision Shared
2009-03-19 17:07:08 ----D---- D:\TeklaStructures
2009-03-19 17:06:12 ----D---- D:\TeklaStructuresModels
2009-03-18 21:53:20 ----D---- D:\Program Files\P2P_Energy
2009-03-18 21:53:20 ----D---- D:\Program Files\Conduit
2009-03-18 21:53:18 ----D---- D:\Documents and Settings\dP\Application Data\LimeWireTurbo
2009-03-16 21:22:37 ----A---- D:\WINDOWS\RtkUpd.exe
2009-03-16 17:00:24 ----A---- D:\WINDOWS\usnpstd.exe
2009-03-16 16:51:56 ----D---- D:\Program Files\Uniblue
2009-03-16 16:51:45 ----HDC---- D:\Documents and Settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-03-15 23:38:28 ----D---- D:\Program Files\SATVOD
2009-03-15 00:12:12 ----D---- D:\Documents and Settings\dP\Application Data\Uniblue
2009-03-15 00:12:12 ----D---- D:\Documents and Settings\All Users\Application Data\DriverScanner
2009-03-14 23:19:26 ----D---- D:\WINDOWS\Sun
2009-03-14 11:12:42 ----D---- D:\Documents and Settings\dP\Application Data\The Creative Assembly
2009-03-05 23:11:52 ----D---- D:\Documents and Settings\All Users\Application Data\PEERNET
2009-03-05 23:11:50 ----D---- D:\Documents and Settings\dP\Application Data\PEERNET
2009-03-05 23:11:16 ----D---- D:\Program Files\PDF Creator Plus 4.0

======List of files/folders modified in the last 1 months======

2009-04-04 12:31:18 ----D---- D:\WINDOWS\Prefetch
2009-04-04 12:30:54 ----D---- D:\WINDOWS\Temp
2009-04-04 12:18:25 ----D---- D:\Documents and Settings\dP\Application Data\Skype
2009-04-04 11:29:10 ----SD---- D:\WINDOWS\Tasks
2009-04-04 10:26:01 ----SHD---- D:\WINDOWS\Installer
2009-04-04 10:20:07 ----D---- D:\WINDOWS\system32
2009-04-04 10:20:07 ----A---- D:\WINDOWS\system32\PerfStringBackup.INI
2009-04-04 10:17:05 ----D---- D:\Documents and Settings\dP\Application Data\skypePM
2009-04-04 10:16:46 ----D---- D:\Program Files\Steam
2009-04-04 06:37:02 ----A---- D:\WINDOWS\SchedLgU.Txt
2009-04-04 06:36:27 ----RD---- D:\Program Files
2009-04-04 06:33:51 ----D---- D:\WINDOWS
2009-04-04 06:30:02 ----D---- D:\WINDOWS\system32\drivers
2009-04-04 06:04:20 ----D---- D:\Program Files\Xfire
2009-04-04 04:15:26 ----A---- D:\WINDOWS\win.ini
2009-04-04 04:15:26 ----A---- D:\WINDOWS\system.ini
2009-04-04 03:03:14 ----A---- D:\WINDOWS\system32\PnkBstrB.exe
2009-04-04 02:33:28 ----D---- D:\Documents and Settings\dP\Application Data\Xfire
2009-04-03 19:07:12 ----D---- D:\Documents and Settings\All Users\Application Data\Google Updater
2009-04-02 19:01:23 ----A---- D:\WINDOWS\ursa.ini
2009-04-02 06:10:44 ----HD---- D:\WINDOWS\inf
2009-04-02 06:10:32 ----D---- D:\WINDOWS\system32\CatRoot2
2009-04-01 23:12:40 ----D---- D:\Documents and Settings\All Users\Application Data\ESET
2009-04-01 18:28:40 ----D---- D:\Program Files\Morton Benson
2009-04-01 10:02:46 ----D---- D:\Program Files\Google
2009-04-01 09:57:59 ----D---- D:\WINDOWS\Help
2009-04-01 00:12:20 ----A---- D:\WINDOWS\system32\userinit.exe
2009-03-30 11:18:17 ----D---- D:\Documents and Settings\dP\Application Data\uTorrent
2009-03-28 04:25:53 ----SD---- D:\Documents and Settings\dP\Application Data\Microsoft
2009-03-28 04:02:17 ----D---- D:\Documents and Settings\dP\Application Data\f2fElementary
2009-03-27 11:04:28 ----RSHDC---- D:\WINDOWS\system32\dllcache
2009-03-27 11:04:21 ----D---- D:\WINDOWS\system32\ReinstallBackups
2009-03-27 11:03:56 ----HD---- D:\Program Files\InstallShield Installation Information
2009-03-27 11:03:56 ----D---- D:\Program Files\Common Files
2009-03-25 00:12:49 ----HDC---- D:\Documents and Settings\All Users\Application Data\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-03-20 16:28:18 ----A---- D:\WINDOWS\system32\javaw.exe
2009-03-20 16:28:18 ----A---- D:\WINDOWS\system32\java.exe
2009-03-20 16:28:18 ----A---- D:\WINDOWS\system32\deploytk.dll
2009-03-20 16:28:16 ----D---- D:\Program Files\Java
2009-03-20 12:39:39 ----RSD---- D:\WINDOWS\Fonts
2009-03-19 17:08:44 ----RSD---- D:\WINDOWS\assembly
2009-03-19 16:38:40 ----D---- D:\Documents and Settings\All Users\Application Data\Nero
2009-03-18 13:18:14 ----D---- D:\Documents and Settings\All Users\Application Data\Adobe
2009-03-18 13:18:12 ----D---- D:\Program Files\Common Files\Adobe
2009-03-18 13:18:10 ----D---- D:\Program Files\Adobe
2009-03-16 21:21:38 ----D---- D:\Documents and Settings\All Users\Application Data\DassaultSystemes
2009-03-16 17:09:21 ----D---- D:\WINDOWS\system32\RTCOM
2009-03-16 17:00:36 ----D---- D:\WINDOWS\twain_32
2009-03-15 10:31:02 ----D---- D:\WINDOWS\Microsoft.NET
2009-03-15 02:49:59 ----D---- D:\WINDOWS\system32\config
2009-03-15 02:41:20 ----D---- D:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-03-15 02:40:50 ----D---- D:\Program Files\Microsoft Office
2009-03-15 02:40:48 ----D---- D:\Program Files\Common Files\Microsoft Shared
2009-03-15 02:40:46 ----D---- D:\Program Files\Microsoft Visual Studio 8
2009-03-15 02:30:26 ----D---- D:\Documents and Settings\dP\Application Data\BSplayer
2009-03-14 14:33:22 ----D---- D:\Documents and Settings\All Users\Application Data\Google
2009-03-13 00:57:19 ----D---- D:\WINDOWS\system32\DirectX
2009-03-05 23:11:04 ----D---- D:\Program Files\Common Files\Wise Installation Wizard

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AsIO;AsIO; D:\WINDOWS\system32\drivers\AsIO.sys [2007-12-17 12400]
R1 ehdrv;ehdrv; D:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
R1 epfwtdi;epfwtdi; D:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-02-06 56280]
R1 intelppm;Intel Processor Driver; D:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 LUM;LUM; \??\D:\WINDOWS\system32\drivers\LUM.sys []
R1 LUMDriver;LUMDriver; \??\D:\WINDOWS\system32\drivers\LUMDriver.sys []
R1 SCDEmu;SCDEmu; D:\WINDOWS\system32\drivers\SCDEmu.sys [2008-11-02 56572]
R2 acedrv11;acedrv11; \??\D:\WINDOWS\system32\drivers\acedrv11.sys []
R2 eamon;eamon; D:\WINDOWS\system32\DRIVERS\eamon.sys [2009-02-06 113448]
R2 epfw;epfw; D:\WINDOWS\system32\DRIVERS\epfw.sys [2009-02-06 130952]
R3 ati2mtag;ati2mtag; D:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-10-29 3341824]
R3 Epfwndis;Eset Personal Firewall; D:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-02-06 33096]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; D:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); D:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-12-26 4968448]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller; D:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-06-25 36864]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; D:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-11 25630]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; D:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-11 70894]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; D:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 RTHDMIAzAudService;Service for HDMI; D:\WINDOWS\system32\drivers\RtKHDMI.sys [2008-12-25 3721664]
R3 snpstd;Trust Webcam 14823; D:\WINDOWS\system32\DRIVERS\snpstd.sys [2006-05-03 390784]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; D:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 at3wm9e0;at3wm9e0; D:\WINDOWS\system32\drivers\at3wm9e0.sys []
S3 CCDECODE;Closed Caption Decoder; D:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; D:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; D:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; D:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 SLIP;BDA Slip De-Framer; D:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; D:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 SymIM;Symantec Network Security Intermediate Filter Service; D:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; D:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 usbscan;USB Scanner Driver; D:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WimFltr;WimFltr; D:\WINDOWS\system32\DRIVERS\wimfltr.sys [2006-11-02 128104]
S3 WSTCODEC;World Standard Teletext Codec; D:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; D:\WINDOWS\system32\Ati2evxx.exe [2008-10-29 585728]
R2 ekrn;ESET Service; D:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-02-06 727720]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2009-03-20 152984]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-24 935208]
R2 PnkBstrA;PnkBstrA; D:\WINDOWS\system32\PnkBstrA.exe [2009-03-01 75064]
R2 PnkBstrB;PnkBstrB; D:\WINDOWS\system32\PnkBstrB.exe [2009-04-04 189072]
R2 UMWdf;Windows User Mode Driver Framework; D:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 Autodesk Licensing Service;Autodesk Licensing Service; D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-11-26 85096]
S2 ATI Smart;ATI Smart; D:\WINDOWS\system32\ati2sgag.exe [2008-10-28 593920]
S2 gupdate1c95ca59863e4d4;Google Update Service (gupdate1c95ca59863e4d4); D:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-12 133104]
S2 gusvc;Google Software Updater; D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 183280]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;ESET HTTP Server; D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-02-06 20680]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-19 647680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; D:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; D:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; D:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; D:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Da li si restartovao racunar kada ti je MBAM to trazio? Jer vidim da je prijavio da ce obrisati Vundo prilikom restarta, kao i onog Zlob-a iz naslova teme. Odradi jos jednom skeniranje sa MBAM, pa ako ponovo pronalazi Vundo znaci da se sakrio u System Restore pa se vraca - iskljuci privremeno System Restore, pokreni Disk Cleanup i ocisti sve, pa ponovo iskeniraj sa MBAM, i kada zavrsi mozes ukljuciti System Restore.

Inace, tvrde i da Spybot S&D (http://www.spybotupdates.com/files/spybotsd162.exe) moze da prepozna i ukloni neke varijante Vundoa, pa ako i nakon svega budes imao ona lazna upozorenja i reklame u browseru, mozes da preobas i sa njim (instaliraj ga bez tea-timera).

_{[Ovu poruku je menjao Nemanja Živanović dana 04.04.2009. u 22:36 GMT+1]}

Trebace mi malo vremena dok pregledam ceo log posto. Za sada ovo treba da obrisemo:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
D:\WINDOWS\system32\kirenalo.dll

Idi na Start → Run → ukucaj regedit → HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Control → Lsa i tu je sa desne strane potrebno da nadjes kljuc koji ima vrednost D:\WINDOWS\system32\kirenalo.dll i da ga obrises.

Zatiom obrisi ovo:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"="STS"

Idi na Start → Run → ukucaj regedit → HKEY_LOCAL_MACHINE → SOFTWARE → Microsoft → Windows → CurrentVersion → Explorer → SharedTaskScheduler i tu je sa desne strane potrebno da nadjes kljuc koji ima vrednost {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} i da ga obrises.

*******

Preuzmi i pokreni program Avenger, pokreni ga i u polje Input script here upisi ovo:



Pritisni Execute i potvrdi dvaput sa Yes. Program ce zatraziti da restartujes racunar (ponekad cak i dva puta). Njegov log iskopiraj ovde da vidimo.

Takodje, predlazem ti pod OBAVEZNO da obrises programe Ares i Software Informer, kao i da formatiras USB flash, posto je zarazen.

_{[Ovu poruku je menjao Nemanja Živanović dana 04.04.2009. u 15:41 GMT+1]}

Nisam pronasao taj kljuc

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat Apr 04 17:43:32 2009

17:43:28: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Software Informer"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
17:43:30: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
17:43:32: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat Apr 04 17:44:22 2009

17:44:20: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Software Informer"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
17:44:22: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat Apr 04 17:53:21 2009

17:53:13: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Software Informer"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
17:53:14: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP
-
*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "D:\WINDOWS\system32\drivers\at3wm9e0.sys" not found!
Deletion of file "D:\WINDOWS\system32\drivers\at3wm9e0.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "D:\Program Files\Software Informer\softinfo.exe"
Deletion of file "D:\Program Files\Software Informer\softinfo.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "D:\WINDOWS\system32\kirenalo.dll" not found!
Deletion of file "D:\WINDOWS\system32\kirenalo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\at3wm9e0" not found!
Deletion of driver "at3wm9e0" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Da probamo jos jednom - pokreni ponovo Avenger i ukucaj samo ovo plavo:

Files to delete:
D:\WINDOWS\system32\drivers\at3wm9e0.sys
D:\Program Files\Software Informer\softinfo.exe
D:\WINDOWS\system32\kirenalo.dll

Drivers to delete:
at3wm9e0

Registry values to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Software Informer

Registry keys to delete:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}

Pritisni Execute i potvrdi dvaput sa Yes. Program ce zatraziti da restartujes racunar (ponekad cak i dva puta). Njegov log zakaci kao txt fajl i uploaduj kao sto si sliku, u prethodnoj poruci, ovde da vidimo.

***********

Preuzmi program RegAlyzer, instaliraj ga i pokreni. Probaj sa njim da pronadjes ona dva kljuca iz ove poruke, sto su obelezena crvenom bojom, i obrisi ih (pronadjes putanju i obrises kljuc sa desne strane - desni klik pa Delete Value). Ako nisi siguran uradi PrintScreen, pa okaci sliku uz poruku.

Sta imas na particiji C? Jel imas dva operativna sistema?

_{[Ovu poruku je menjao Nemanja Živanović dana 04.04.2009. u 19:36 GMT+1]}

Sve sam ponovio kao što je napisano,ja sam prekopirao plavi text u avenger ne znam je li to problem možda

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sat Apr 04 19:25:48 2009

19:25:45: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Software Informer"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:25:46: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "D:\WINDOWS\system32\drivers\at3wm9e0.sys" not found!
Deletion of file "D:\WINDOWS\system32\drivers\at3wm9e0.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "D:\Program Files\Software Informer\softinfo.exe"
Deletion of file "D:\Program Files\Software Informer\softinfo.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "D:\WINDOWS\system32\kirenalo.dll" not found!
Deletion of file "D:\WINDOWS\system32\kirenalo.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\at3wm9e0" not found!
Deletion of driver "at3wm9e0" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

zatim sam skinuo RegAlyzer ali nisam pronasao ovaj drugi ključ,prvi sam izbrisao već prije

Ok, posto nema poboljsanja, hajde da probamo agresivnije. Prvo ugasi svu zastitu koji imas i NOD32 i MBAM.

Pokreni ESET Smart Security na sledeci nacin :
Start → All Programs → ESET → ESET Smart Security

• Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
• Izaberi Antivirus and Antispyware opciju i klikni na Temporarily disable Antivirus and Antispyware protection.
• Na sledece pitanje klikni Yes.

Malwarebytes` Antimalware gasis desnim klikom na ikonicu pa na Exit.

Skini ComboFix na Desktop. Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva koja ti program zadaje. Kada se zavrsi proces skeniranja pojavice se izvezta koji ces ovde iskopirati. Ako slucajno ugasis izvestaj on se nalazi na C:\ComboFix.txt.

ComboFix 09-04-04.01 - dP 2009-04-04 21:40:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1418 [GMT 2:00]
Running from: d:\documents and settings\dP\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\windows\system32\404Fix.exe
d:\windows\system32\Agent.OMZ.Fix.exe
d:\windows\system32\dumphive.exe
d:\windows\system32\IEDFix.C.exe
d:\windows\system32\IEDFix.exe
d:\windows\system32\o4Patch.exe
d:\windows\system32\Process.exe
d:\windows\system32\SrchSTS.exe
d:\windows\system32\tmp.reg
d:\windows\system32\VACFix.exe
d:\windows\system32\VCCLSID.exe
d:\windows\system32\WS2Fix.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 19:31 . 2009-04-04 19:31 <DIR> d-------- d:\program files\Safer Networking
2009-04-04 19:31 . 2009-04-04 19:31 <DIR> d-------- d:\documents and settings\dP\Application Data\Safer Networking
2009-04-04 12:31 . 2009-04-04 12:31 <DIR> d-------- D:\rsit
2009-04-04 12:11 . 2009-04-04 12:11 <DIR> d-------- D:\VundoFix Backups
2009-04-04 04:19 . 2009-04-04 04:19 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2009-04-04 04:19 . 2009-04-04 04:19 <DIR> d-------- d:\documents and settings\dP\Application Data\Malwarebytes
2009-04-04 04:19 . 2009-04-04 04:19 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 04:19 . 2009-03-26 16:49 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 04:19 . 2009-03-26 16:49 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2009-04-03 18:01 . 2009-04-03 18:01 <DIR> d-------- d:\program files\Trend Micro
2009-04-01 23:13 . 2009-04-01 23:13 <DIR> d-------- d:\documents and settings\dP\Application Data\ESET
2009-04-01 23:12 . 2009-04-01 23:12 <DIR> d-------- d:\program files\ESET
2009-04-01 18:18 . 2009-04-01 18:18 3,729 ---hs---- d:\windows\system32\tajopava.exe
2009-04-01 18:18 . 2009-04-01 18:18 0 --ah----- d:\windows\system32\BIT7D0.tmp
2009-03-28 04:25 . 2009-03-28 04:25 <DIR> d-------- d:\program files\Cambridge
2009-03-28 04:11 . 2009-03-30 15:46 <DIR> d-------- d:\documents and settings\dP\Application Data\f2fPreIntermediate
2009-03-27 11:03 . 2009-03-27 11:03 <DIR> d-------- d:\program files\Logitech
2009-03-27 11:03 . 2009-03-27 11:03 <DIR> d-------- d:\program files\Common Files\Logitech
2009-03-27 11:03 . 2003-12-11 10:50 152,064 --------- d:\windows\system32\lmoufrc.dll
2009-03-27 11:03 . 2003-12-18 10:50 104,960 --a------ d:\windows\system32\COMNCTR.DLL
2009-03-27 11:03 . 2003-12-18 10:50 97,792 --a------ d:\windows\system32\LGUICOM.DLL
2009-03-27 11:03 . 2003-12-11 10:50 70,894 --a------ d:\windows\system32\drivers\LMouFlt2.Sys
2009-03-27 11:03 . 2003-12-11 10:50 51,582 --------- d:\windows\system32\drivers\L8042PR2.SYS
2009-03-27 11:03 . 2003-12-11 10:50 37,916 --------- d:\windows\system32\drivers\LHIDUSB.SYS
2009-03-27 11:03 . 2003-12-11 10:50 25,630 --a------ d:\windows\system32\drivers\LHidFlt2.Sys
2009-03-27 11:03 . 2003-12-11 10:50 23,372 --------- d:\windows\system32\LCOINST.DLL
2009-03-27 11:03 . 2003-12-11 10:50 20,992 --------- d:\windows\LOGI_MWX.EXE
2009-03-27 11:03 . 2003-12-18 10:50 16,896 --a------ d:\windows\system32\LMOUSE32.DLL
2009-03-27 11:03 . 2003-12-11 10:50 14,092 --------- d:\windows\system32\drivers\LCCFLTR.SYS
2009-03-27 11:03 . 2003-12-18 10:50 3,568 --a------ d:\windows\system32\LMOUSE16.DLL
2009-03-25 00:13 . 2009-03-25 00:13 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{0AAA1129-1E09-47FC-B02B-648C164E1F6F}
2009-03-21 00:25 . 2009-03-21 00:25 41,808 --a------ d:\windows\system32\xfcodec.dll
2009-03-20 16:28 . 2009-03-20 16:28 73,728 --a------ d:\windows\system32\javacpl.cpl
2009-03-19 17:10 . 2009-03-19 17:10 <DIR> d-------- d:\documents and settings\All Users\Application Data\FLEXnet
2009-03-19 17:08 . 2009-03-19 17:08 <DIR> d-------- d:\program files\Common Files\Macrovision Shared
2009-03-19 17:07 . 2009-03-19 17:07 <DIR> d-------- D:\TeklaStructures
2009-03-19 17:06 . 2009-03-19 17:10 <DIR> d-------- D:\TeklaStructuresModels
2009-03-18 21:54 . 2009-03-18 21:54 <DIR> d-------- d:\documents and settings\dP\Shared
2009-03-18 21:53 . 2009-04-01 22:29 <DIR> d-------- d:\program files\P2P_Energy
2009-03-18 21:53 . 2009-03-18 21:53 <DIR> d-------- d:\program files\Conduit
2009-03-18 21:53 . 2009-03-18 21:53 <DIR> d-------- d:\documents and settings\dP\Incomplete
2009-03-18 21:53 . 2009-03-18 21:54 <DIR> d-------- d:\documents and settings\dP\Application Data\LimeWireTurbo
2009-03-16 21:22 . 2008-12-25 18:32 3,721,664 --a------ d:\windows\system32\drivers\RtKHDMI.sys
2009-03-16 21:22 . 2008-09-19 18:48 1,200,128 --a------ d:\windows\RtkUpd.exe
2009-03-16 17:00 . 2005-02-02 03:29 20,480 --a------ d:\windows\usnpstd.exe
2009-03-16 16:51 . 2009-04-04 10:26 <DIR> d-------- d:\program files\Uniblue
2009-03-16 16:51 . 2009-03-16 16:51 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-03-15 23:38 . 2009-03-15 23:45 <DIR> d-------- d:\program files\SATVOD
2009-03-15 00:12 . 2009-04-04 01:31 <DIR> d-------- d:\documents and settings\dP\Application Data\Uniblue
2009-03-15 00:12 . 2009-03-16 16:56 <DIR> d-------- d:\documents and settings\All Users\Application Data\DriverScanner
2009-03-14 23:19 . 2009-03-14 23:19 <DIR> d-------- d:\windows\Sun
2009-03-14 11:12 . 2009-03-14 11:12 <DIR> d-------- d:\documents and settings\dP\Application Data\The Creative Assembly
2009-03-05 23:11 . 2009-03-05 23:51 <DIR> d-------- d:\program files\PDF Creator Plus 4.0
2009-03-05 23:11 . 2009-03-05 23:11 <DIR> d-------- d:\documents and settings\dP\Application Data\PEERNET
2009-03-05 23:11 . 2009-03-05 23:11 <DIR> d-------- d:\documents and settings\All Users\Application Data\PEERNET
2009-03-04 12:06 . 2009-04-04 21:43 <DIR> d-------- d:\program files\Steam
2009-03-04 12:05 . 2009-03-04 12:06 <DIR> d-------- d:\program files\Microsoft Games for Windows - LIVE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 19:44 --------- d-----w d:\documents and settings\dP\Application Data\Skype
2009-04-04 18:08 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2009-04-04 17:28 --------- d-----w d:\documents and settings\dP\Application Data\skypePM
2009-04-04 04:04 --------- d-----w d:\program files\Xfire
2009-04-04 00:34 138,920 ----a-w d:\windows\system32\drivers\PnkBstrK.sys
2009-04-04 00:33 --------- d-----w d:\documents and settings\dP\Application Data\Xfire
2009-04-01 21:12 --------- d-----w d:\documents and settings\All Users\Application Data\ESET
2009-04-01 16:28 --------- d-----w d:\program files\Morton Benson
2009-04-01 08:02 --------- d-----w d:\program files\Google
2009-03-30 09:18 --------- d-----w d:\documents and settings\dP\Application Data\uTorrent
2009-03-28 02:02 --------- d-----w d:\documents and settings\dP\Application Data\f2fElementary
2009-03-27 09:03 --------- d--h--w d:\program files\InstallShield Installation Information
2009-03-24 22:12 --------- dc-h--w d:\documents and settings\All Users\Application Data\{0151C9FC-719D-4459-B1E2-4685CC6E62A8}
2009-03-20 14:28 --------- d-----w d:\program files\Java
2009-03-19 14:38 --------- d-----w d:\documents and settings\All Users\Application Data\Nero
2009-03-18 11:18 --------- d-----w d:\program files\Common Files\Adobe
2009-03-16 19:21 --------- d-----w d:\documents and settings\All Users\Application Data\DassaultSystemes
2009-03-15 00:41 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-15 00:40 --------- d-----w d:\program files\Microsoft Visual Studio 8
2009-03-15 00:30 --------- d-----w d:\documents and settings\dP\Application Data\BSplayer
2009-03-05 21:11 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2009-03-02 14:47 --------- d-----w d:\program files\Common Files\Adobe AIR
2009-03-01 14:05 --------- d-----w d:\program files\JavaHMO
2009-03-01 14:05 --------- d-----w d:\program files\Common Files\TiVo Shared
2009-03-01 14:04 --------- d-----w d:\program files\Common Files\Java
2009-03-01 13:43 --------- d-----w d:\program files\Paragon Software
2009-03-01 12:57 --------- d-----w d:\program files\DiskInternals
2009-02-28 18:43 --------- d-----w d:\documents and settings\dP\Application Data\DAEMON Tools Pro
2009-02-28 18:42 --------- d-----w d:\program files\DAEMON Tools Pro
2009-02-28 18:37 --------- d-----w d:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-02-28 18:32 717,296 ----a-w d:\windows\system32\drivers\sptd.sys
2009-02-28 10:17 --------- d-----w d:\program files\HUB
2009-02-28 09:57 --------- d-----w d:\documents and settings\dP\Application Data\Red Alert 3 Demo
2009-02-27 22:05 --------- d-----w d:\program files\eMule
2009-02-25 16:34 --------- d-----w d:\program files\MSXML 4.0
2009-02-25 16:34 --------- d-----w d:\program files\DD PlayCam
2009-02-25 16:33 --------- d-----w d:\program files\VideoCAM Eye
2009-02-25 16:33 --------- d-----w d:\program files\Common Files\VCAMEye
2009-02-22 17:46 --------- d-----w d:\documents and settings\dP\Application Data\Sports Interactive
2009-02-22 17:39 --------- d-----w d:\program files\Sports Interactive
2009-02-22 17:38 --------- d-----w d:\documents and settings\All Users\Application Data\Sports Interactive
2009-02-16 22:50 --------- d--h--w d:\program files\Zero G Registry
2009-02-14 19:43 --------- d-----w d:\documents and settings\All Users\Application Data\Fallout3
2009-02-11 15:19 --------- d-----w d:\program files\Adobe Media Player
2009-02-10 21:57 --------- d-----w d:\program files\Common Files\Skype
2009-02-10 21:57 --------- d-----w d:\documents and settings\All Users\Application Data\Skype
2009-02-10 21:57 --------- d-----r d:\program files\Skype
2009-02-08 08:59 --------- d-----w d:\program files\Siber Systems
2009-02-07 19:48 22,328 ----a-w d:\documents and settings\dP\Application Data\PnkBstrK.sys
2009-02-07 19:36 --------- d-----w d:\program files\Activision
2009-02-06 12:24 56,280 ----a-w d:\windows\system32\drivers\epfwtdi.sys
2009-02-06 12:24 33,096 ----a-w d:\windows\system32\drivers\epfwndis.sys
2009-02-06 12:24 130,952 ----a-w d:\windows\system32\drivers\epfw.sys
2009-02-06 12:23 106,208 ----a-w d:\windows\system32\drivers\ehdrv.sys
2009-02-06 12:19 113,448 ----a-w d:\windows\system32\drivers\eamon.sys
2009-01-31 00:04 2,521 ----a-w d:\program files\Common Files\unins000.dat
2009-01-31 00:03 728,858 ----a-w d:\program files\Common Files\unins000.exe
2008-03-09 06:25 236 ---ha-w d:\program files\Common Files\dx.reg
.

------- Sigcheck -------

2009-04-01 00:12 31232 1ec93eaa7ba8fef99e00d26185b7f520 d:\windows\system32\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"DAEMON Tools Pro Agent"="d:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-01-26 228808]
"Steam"="d:\program files\Steam\Steam.exe" [2009-03-04 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="d:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344]
"PWRISOVM.EXE"="d:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"snpstd"="d:\windows\vsnpstd.exe" [2005-10-11 339968]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-26 d:\windows\RTHDCPL.EXE]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 d:\windows\LOGI_MWX.EXE]

d:\documents and settings\dP\Start Menu\Programs\Startup\
Adobe Media Player.lnk - d:\program files\Adobe Media Player\Adobe Media Player.exe [2009-02-11 261120]
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
Xfire.lnk - d:\program files\Xfire\Xfire.exe [2009-03-21 3025232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.MJPG"= MJPEGCodecVFW.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis Wars\\Bin32\\Crysis.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"d:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\Dassault Systemes\\B18\\intel_a\\code\\bin\\CATUTIL.exe"=
"c:\\Program Files\\Dassault Systemes\\B18\\intel_a\\code\\bin\\CATSysDemon.exe"=
"d:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Dassault Systemes\\B18\\intel_a\\code\\bin\\CNEXT.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 hotcore3;hc3ServiceName;d:\windows\system32\drivers\hotcore3.sys [2009-03-01 40496]
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-02-06 106208]
R1 LUM;LUM;d:\windows\system32\drivers\LUM.sys [2007-06-05 16528]
R1 LUMDriver;LUMDriver;d:\windows\system32\drivers\LUMDriver.sys [2007-04-24 16688]
R2 acedrv11;acedrv11;d:\windows\system32\drivers\acedrv11.sys [2008-07-30 277736]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [2009-02-06 727720]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;d:\windows\system32\drivers\l1e51x86.sys [2008-11-26 36864]
S2 gupdate1c95ca59863e4d4;Google Update Service (gupdate1c95ca59863e4d4);d:\program files\Google\Update\GoogleUpdate.exe [2008-12-13 133104]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad351f41-e161-11dd-99f9-00221585308a}]
\Shell\AutoRun\command - d:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-04-04 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 21:25]

2009-04-04 d:\windows\Tasks\GoogleUpdateTaskMachine.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 03:22]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Software Informer - d:\program files\Software Informer\softinfo.exe
HKCU-Run-Uniblue RegistryBooster 2009 - d:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-fsm - (no file)
MSConfigStartUp-ares - d:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\dP\Application Data\Mozilla\Firefox\Profiles\lc4zoy5a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1460988&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1460988&SearchSource=2&q=
FF - component: d:\documents and settings\dP\Application Data\Mozilla\Firefox\Profiles\lc4zoy5a.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: d:\documents and settings\dP\Application Data\Mozilla\Firefox\Profiles\lc4zoy5a.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFAlert.dll
FF - component: d:\documents and settings\dP\Application Data\Mozilla\Firefox\Profiles\lc4zoy5a.default\extensions\{b579a202-4a9e-478b-b9ab-048a4ce7833e}\components\FFExternalAlert.dll
FF - component: d:\documents and settings\dP\Application Data\Mozilla\Firefox\Profiles\lc4zoy5a.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: d:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll
FF - plugin: d:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJava11.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJava12.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJava13.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJava14.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJava32.dll
FF - plugin: d:\program files\Opera\program\plugins\NPJPI142_06.dll
FF - plugin: d:\program files\Opera\program\plugins\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 21:43:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-436374069-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1085031214-436374069-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:98,0b,2f,d9,1c,ad,6a,09,a3,66,1f,f9,84,cd,05,e0,78,39,50,6d,e6,
da,ec,51,b7,0d,25,4a,16,b6,58,10,7b,5b,55,76,bf,ce,ad,f4,c7,32,37,37,1d,68,\
"rkeysecu"=hex:07,31,a4,ab,e5,fc,54,9e,3c,9e,b3,f3,2a,52,5e,e0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):06,b1,30,d0,96,61,69,83,f8,c0,ef,3a,d7,f3,13,a3,5b,32,93,18,a0,
51,98,0c,c8,8b,c4,b9,87,1c,21,0d,d1,fa,8e,7f,c4,90,8c,a0,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c1b3b457-792a-4e4a-940f-648264f3a59c}]
@Denied: (Full) (Everyone)
"Model"=dword:0000016b
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
d:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\ati2evxx.exe
d:\windows\system32\ati2evxx.exe
d:\windows\system32\userinit.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\system32\PnkBstrB.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\wscntfy.exe
d:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
d:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-04-04 21:45:47 - machine was rebooted [dP]
ComboFix-quarantined-files.txt 2009-04-04 19:45:45

Pre-Run: 15,303,585,792 bytes free
Post-Run: 19,812,356,096 bytes free

315

Otvoriti Notepad i iskopirati sledeci tekst:



Snimiti taj fajl na Desktop pod imenom "CFScript"



Prevuci snimljenu tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ispod je log file koji sam dobio

Kakvo je sada stanje?

Koliko vidim iz ComboFix loga, userinit ti je i dalje zarazen:

------- Sigcheck -------

2009-04-01 00:12 31232 1ec93eaa7ba8fef99e00d26185b7f520 d:\windows\system32\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff d:\windows\system32\dllcache\userinit.exe

Dakle, mozes brisati sta i koliko god hoces, ali cim se prvi sledeci put ulogujes, ovaj je opet aktivan... Ako ne resite nista u narednih 24 sata, preporucujem ti da probas ono sa popravkom userinit.exe sto sam napisao danas (samo sto kod tebe nije c:\windows\system32\userinit.exe nego d:\windows\system32\userinit.exe). I kao sto vidis, imas "zdravu" kopiju userinit-a u dllcache-u, pa ako si dovoljno vest, mozes i odatle da ga izvuces i pregazis ovaj zlob-ov.

Sada je čini mi se OK jer mi više ne otvara Internet Explorer i ne upozorava me da imam sigurnosni problem
da istina je da virus i dalje postoji jer ga i NOD prepozna na istoj lokaciji,takođe računar radi dosta brže nego prije.
Videću kako da definitivno riješim ovaj problem,nisam baš napredni korisnik ali pokušaću da pronađem nekog ko je vještiji.
U svakom slučaju mnogo vam hvala na trudu koji ste uložili da mi pomognete.

Nismo jos zavrsili. Otvori Notepad i iskopiraj sledeci tekst:



Snimiti taj fajl na Desktop pod imenom "CFScript"



Prevuci snimljenu tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.