PDA

View Full Version : Possible Virtumonde infection (Solved)



karadjordje
2008-11-10, 19:34
Hello everybody,

By my own mistake I think I have infected my laptop. I had an updated Avira AntiVir personal installed on my updated Vista SP2 business edition when I run a file I didn't deem suspicious because I have scanned its directory manually by Avira.

When I run the file I didn't get any warnings from Avira but from Windows Defender which detected and cleaned it as follows:


Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
process:
pid:712

process:
pid:5848

regkey:
HKCU@S-1-5-21-4042144296-3311917591-612435275-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cmds

runkey:
HKCU@S-1-5-21-4042144296-3311917591-612435275-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cmds

file:
C:\Users\petar\AppData\Local\Temp\wvUnMfee.dll


Category:
Trojan

Description:
This program displays advertisements and may be difficult to remove.

Advice:
Remove this software immediately.

Resources:
regkey:
HKCU@S-1-5-21-4042144296-3311917591-612435275-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer

runkey:
HKCU@S-1-5-21-4042144296-3311917591-612435275-1000\Software\Microsoft\Windows\CurrentVersion\Run\\MSServer

file:
C:\Users\petar\AppData\Local\Temp\jkkICvVp.dll

After that I wasn't happy any more with Avira so I uninstalled it and downloaded ESET NOD32 30-day trial, updated it and scanned my computer:


Scan Log
Version of virus signature database: 3231 (20080701)
Date: 8.11.2008 Time: 18:52:06
Scanned disks, folders and files: C:\;D:\
C:\hiberfil.sys - error opening [4]
C:\dev\Python25\Lib\email\test\data\msg_28.txt » MIME » MIME » part000.txt » MIME - file is not an archive
C:\dev\Python25\Lib\email\test\data\msg_28.txt » MIME » MIME » part000.txt » MIME - file is not an archive
C:\dev\Python25\Lib\email\test\data\msg_30.txt » MIME » part000.txt » MIME » part000.txt » MIME - file is not an archive
C:\dev\Python25\Lib\email\test\data\msg_30.txt » MIME » part001.txt » MIME » part000.txt » MIME - file is not an archive
C:\dev\Python25\Lib\email\test\data\msg_38.txt » MIME » MIME » MIME » part000.txt - error reading archive
C:\dev\Python25\Lib\email\test\data\msg_38.txt » MIME » MIME » - error reading archive
C:\dev\Python25\Lib\test\testtar.tar » TAR » test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/ - archive damaged
C:\Program Files\The KMPlayer\KMPlayer.exe » ZIP - file is not an archive
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_830ce74a-6bd8-4950-a3d5-4213a5a0e1fd - error opening [4]
C:\ProgramData\Microsoft\User Account Pictures\LOGIN+sumadinac.dat - error opening [4]
C:\ProgramData\Microsoft\User Account Pictures\uros.dat - error opening [4]
C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_830ce74a-6bd8-4950-a3d5-4213a5a0e1fd - error opening [4]
C:\Users\All Users\Microsoft\User Account Pictures\LOGIN+sumadinac.dat - error opening [4]
C:\Users\All Users\Microsoft\User Account Pictures\uros.dat - error opening [4]
C:\Users\petar\NTUSER.DAT - error opening [4]
C:\Users\petar\ntuser.dat.LOG1 - error opening [4]
C:\Users\petar\ntuser.dat.LOG2 - error opening [4]
C:\Users\petar\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Users\petar\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
C:\Users\petar\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
C:\Users\petar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FBOQCQZG\swflash[2].cab » CAB » FP_AX_CAB_INSTALLER.exe » NSIS - archive damaged
C:\Users\petar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SL56SRED\ISACLIENT-KB929556-ENU[1].EXE » CAB - file is not an archive
C:\Users\petar\AppData\Local\Microsoft\Windows Defender\FileTracker\{0520259C-76CA-43DE-A469-08232F64F584} - error opening [4]
C:\Users\petar\AppData\Local\Temp\etilqs_FKR9hi7OAGaPBj8NiHUS - error opening [4]
C:\Users\petar\AppData\Local\Temp\removalfile.bat - Win32/Adware.Virtumonde application - cleaned by deleting - quarantined [1]
C:\Users\petar\AppData\Roaming\Mozilla\Firefox\Profiles\xi1xs3kj.default\parent.lock - error opening [4]
C:\Users\petar\AppData\Roaming\Mozilla\Firefox\Profiles\xi1xs3kj.default\places.sqlite-journal - error opening [4]
C:\Windows\Logs\CBS\CBS.log - error opening [4]
C:\Windows\Logs\DPX\setupact.log - error opening [4]
C:\Windows\Logs\DPX\setuperr.log - error opening [4]
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config - error opening [4]
C:\Windows\Panther\UnattendGC\diagerr.xml - error opening [4]
C:\Windows\Panther\UnattendGC\diagwrn.xml - error opening [4]
C:\Windows\Panther\UnattendGC\setupact.log - error opening [4]
C:\Windows\Panther\UnattendGC\setuperr.log - error opening [4]
C:\Windows\security\database\secedit.sdb - error opening [4]
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 - error opening [4]
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 - error opening [4]
C:\Windows\System32\catroot2\edb.log - error opening [4]
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
C:\Windows\System32\drivers\sptd.sys - error opening [4]
C:\Windows\System32\restore\MachineGuid.txt - error opening [4]
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\43A7EEE279F15546EE900076CA8CC2C8.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\6317F4B515BD547512FF3AE3ACD81242.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\73798C03E4DE5FDCF5194ADA9EBFB859.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\95CF8C2673B156E93407C44DA1171F14.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof - error opening [4]
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof - error opening [4]
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Application.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\DFS Replication.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Key Management Service.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Backup.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Admin.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-PnPDevices%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\ODiag.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\OSession.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Security.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\Setup.evtx - error opening [4]
C:\Windows\System32\winevt\Logs\System.evtx - error opening [4]
C:\Windows\winsxs\x86_microsoft-network-internet-access_31bf3856ad364e35_6.0.6000.16386_none_b85711c14117830d\cclitesetupui.exe » CAB - file is not an archive
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd - error opening [4]
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd - error opening [4]
D:\pagefile.sys - error opening [4]
D:\Games\CS 1.5\cd-client-4_17_1-en.exe » NSIS - bad archive
D:\Programs\Mobile\Motorola\MobileManager.zip » ZIP » run.exe » NSIS » isecur.dll - a variant of Win32/TrojanDownloader.Zlob.AHV trojan - was a part of the deleted object
D:\Programs\Multimedia\Players\KMPlayer\The_KMPlayer_1432_R2.exe » NSIS » KMPlayer.exe » ZIP - file is not an archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_28.txt » MIME » MIME » part000.txt » MIME - file is not an archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_28.txt » MIME » MIME » part000.txt » MIME - file is not an archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_30.txt » MIME » part000.txt » MIME » part000.txt » MIME - file is not an archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_30.txt » MIME » part001.txt » MIME » part000.txt » MIME - file is not an archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_38.txt » MIME » MIME » MIME » part000.txt - error reading archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » msg_38.txt » MIME » MIME » - error reading archive
D:\Programs\Programming\Game Engines\panda3d-1.5.0.exe » NSIS » testtar.tar » TAR » test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/test/ - archive damaged
D:\Programs\Programming\Python\Packages\matplotlib-0.91.2.win32-py2.5.exe » ZIP » PLATLIB/dateutil/zoneinfo/zoneinfo-2007f.tar.gz » GZIP » /home/niemeyer/src/dateutil/dateutil/zoneinfo/zoneinfo-2007f.tar » TAR » Atlantic/Faeroe » TAR » Indian/ - error reading archive
D:\Programs\Programming\Python\Packages\matplotlib-0.91.2.win32-py2.5.exe » ZIP » PLATLIB/dateutil/zoneinfo/zoneinfo-2007f.tar.gz » GZIP » /home/niemeyer/src/dateutil/dateutil/zoneinfo/zoneinfo-2007f.tar » TAR » - archive damaged
D:\Programs\Programming\WYSIWYG Online Editors\XStandard\x-pro.exe » NSIS - bad archive
D:\Video\Music\Benny Benassi - Satisfaction.wmv - a variant of WMA/TrojanDownloader.GetCodec.gen trojan - cleaned - quarantined
D:\_downloads\tcup.zip » ZIP » tcup4.3.exe » NSIS » Revelation.exe - Win32/PSWTool.SnadBoy.2011 application - was a part of the deleted object
D:\_downloads\tcup.zip » ZIP » tcup4.3.exe » NSIS » RevelationHelper.dll - Win32/PSWTool.SnadBoy.2011 application - was a part of the deleted object
D:\_downloads\tcup.zip » ZIP » tcup4.3.exe » NSIS » WinVNC.exe » ZIP » META-INF/ - archive damaged
D:\_downloads\vizster.wmv - a variant of WMA/TrojanDownloader.GetCodec.gen trojan - cleaned - quarantined
D:\_downloads\Web 2.0 - The Machine is Us(ing Us).wmv - a variant of WMA/TrojanDownloader.GetCodec.gen trojan - cleaned - quarantined
D:\_downloads\CryptLoad\router\FRITZ!Box\nc.exe - Win32/RemoteAdmin.NetCat application - cleaned by deleting - quarantined [1]
Number of scanned objects: 942885
Number of threats found: 40
Number of cleaned objects: 39
Time of completion: 20:31:08 Total scanning time: 5942 sec (01:39:02)

Notes:
[1] Object has been deleted as it only contained the virus body.
[4] Object cannot be opened. It may be in use by another application or operating system.


Today I run SpyBot S&D:

Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde: [SBI $1F8EC695] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-08 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-11-04 Includes\Adware.sbi (*)
2008-11-05 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-09-02 Includes\Hijackers.sbi (*)
2008-10-28 Includes\HijackersC.sbi (*)
2008-09-09 Includes\Keyloggers.sbi (*)
2008-11-04 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-04 Includes\Malware.sbi (*)
2008-11-04 Includes\MalwareC.sbi (*)
2008-11-03 Includes\PUPS.sbi (*)
2008-11-04 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-10-23 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-11-04 Includes\Spyware.sbi (*)
2008-11-04 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-11-04 Includes\Trojans.sbi (*)
2008-11-04 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


And before posting on this forum I wanted to give Malwarebytes' Anti-Malware a try and while it was working (I canceled it after 30 minutes) NOD32 real-time protection had this to say:


10.11.2008 17:51:18 Real-time file system protection file C:\Users\Public\Videos\Sample Videos\Lake.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:17 Real-time file system protection file C:\Users\Public\Videos\Sample Videos\Bear.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:16 Real-time file system protection file C:\Users\Public\Videos\Sample Videos\Butterfly.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:12 Real-time file system protection file C:\Users\Public\Music\Sample Music\Din Din Wo (Little Child).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:11 Real-time file system protection file C:\Users\Public\Music\Sample Music\Despertar.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:08 Real-time file system protection file C:\Users\Public\Music\Sample Music\Amanda.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:07 Real-time file system protection file C:\Users\Public\Music\Sample Music\Symphony_No_3.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:51:04 Real-time file system protection file C:\Users\Public\Music\Sample Music\One Step Beyond.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:59 Real-time file system protection file C:\Users\Public\Music\Sample Music\OAM's Blues.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:59 Real-time file system protection file C:\Users\Public\Music\Sample Music\Muita Bobeira.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:58 Real-time file system protection file C:\Users\Public\Music\Sample Music\Love Comes.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:58 Real-time file system protection file C:\Users\Public\Music\Sample Music\I Ka Barra (Your Work).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:55 Real-time file system protection file C:\Users\Public\Music\Sample Music\Distance.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:50:54 Real-time file system protection file C:\Users\Public\Music\Sample Music\I Guess You're Right.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
10.11.2008 17:49:01 Real-time file system protection file C:\Users\petar\AppData\Local\VirtualStore\Windows\System32\wincxh32.rom Win32/TrojanDownloader.Small.OCS trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.

And finally a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:29, on 10.11.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\BisonCam\BisonHK.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\BisonCam\BsMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\RescueTime\RescueTime.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\dev\Aptana Studio\AptanaStudio.exe
C:\dev\Aptana Studio\jre\bin\javaw.exe
C:\dev\Python25\python.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\petar\AppData\Local\Screamer Radio\screamer.exe
C:\dev\Python25\python.exe
C:\Windows\hh.exe
C:\Users\petar\AppData\Local\Screamer Radio\screamer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\System32\mblctr.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4480
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre\6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BisonHK] C:\Windows\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BsMnt] C:\Windows\BisonCam\BsMnt.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Google Update] "C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4042144296-3311917591-612435275-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'uros')
O4 - Startup: RescueTime.lnk = C:\Program Files\RescueTime\RescueTime.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Cntlm Authentication Proxy (cntlm) - Unknown owner - C:\Program Files\Cntlm\cygrunsrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: JNXXFU - Sysinternals - www.sysinternals.com - C:\Users\petar\AppData\Local\Temp\JNXXFU.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5755 bytes


Thank you in advance,
Petar Djordjevic

katana
2008-11-11, 18:44
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.

karadjordje
2008-11-11, 23:14
log.txt:

Logfile of random's system information tool 1.04 (written by random/random)
Run by petar at 2008-11-11 22:09:34
Microsoft® Windows Vista™ Business Service Pack 1
System drive C: has 11 GB (35%) free of 31 GB
Total RAM: 1919 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:46, on 11.11.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\BisonCam\BisonHK.exe
C:\Windows\BisonCam\BsMnt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\RescueTime\RescueTime.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
D:\_downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\petar.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4480
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre\6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BisonHK] C:\Windows\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BsMnt] C:\Windows\BisonCam\BsMnt.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Google Update] "C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4042144296-3311917591-612435275-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'uros')
O4 - Startup: RescueTime.lnk = C:\Program Files\RescueTime\RescueTime.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Cntlm Authentication Proxy (cntlm) - Unknown owner - C:\Program Files\Cntlm\cygrunsrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: JNXXFU - Sysinternals - www.sysinternals.com - C:\Users\petar\AppData\Local\Temp\JNXXFU.exe
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 5295 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre\6.0\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"BisonHK"=C:\Windows\BisonCam\BisonHK.exe [2007-03-15 32768]
"BsMnt"=C:\Windows\BisonCam\BsMnt.exe [2007-03-15 172032]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-07-01 1447168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"AlcoholAutomount"=C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2008-09-05 4608]
"Google Update"=C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-07 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\petar\AppData\Local\Temp\jkkICvVp.dll []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe

C:\Users\petar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
RescueTime.lnk - C:\Program Files\RescueTime\RescueTime.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6FF22309-A6ED-462B-ABEC-877625C012F3}"= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}]
shell\Auto\command - G:\Autorun.exe
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}]
shell\AutoRun\command - F:\SETUP.EXE
shell\configure\command - F:\SETUP.EXE
shell\install\command - F:\SETUP.EXE


======File associations======

.js - open - "C:\dev\Aptana Studio\AptanaStudio.exe" "%1"

======List of files/folders created in the last 1 months======

2008-11-11 22:09:34 ----D---- C:\rsit
2008-11-10 17:24:13 ----D---- C:\Users\petar\AppData\Roaming\Malwarebytes
2008-11-10 17:24:06 ----D---- C:\ProgramData\Malwarebytes
2008-11-10 17:24:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-08 21:05:16 ----A---- C:\Windows\vbaddin.ini
2008-11-08 18:48:30 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-11-08 18:48:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-08 18:22:23 ----D---- C:\ProgramData\ESET
2008-11-08 18:22:23 ----D---- C:\Program Files\ESET
2008-11-03 13:38:31 ----D---- C:\Program Files\AltBinz
2008-10-30 20:35:41 ----D---- C:\Users\petar\AppData\Roaming\PeerNetworking
2008-10-30 11:17:51 ----A---- C:\Windows\system32\wersvc.dll
2008-10-30 11:17:51 ----A---- C:\Windows\system32\Faultrep.dll
2008-10-30 11:17:43 ----A---- C:\Windows\system32\win32spl.dll
2008-10-26 11:20:23 ----A---- C:\Windows\system32\netapi32.dll
2008-10-23 18:42:16 ----D---- C:\Program Files\RapidTyping
2008-10-20 10:45:33 ----D---- C:\Program Files\MetaGeek
2008-10-20 10:18:58 ----A---- C:\Windows\system32\jsproxy.dll
2008-10-20 10:18:57 ----A---- C:\Windows\system32\mshtml.dll
2008-10-20 10:18:56 ----A---- C:\Windows\system32\mstime.dll
2008-10-20 10:18:55 ----A---- C:\Windows\system32\iertutil.dll
2008-10-20 10:18:52 ----A---- C:\Windows\system32\wininet.dll
2008-10-20 10:18:52 ----A---- C:\Windows\system32\urlmon.dll
2008-10-20 10:18:50 ----A---- C:\Windows\system32\ieframe.dll
2008-10-19 13:39:36 ----A---- C:\Windows\system32\ntoskrnl.exe
2008-10-19 13:39:36 ----A---- C:\Windows\system32\ntkrnlpa.exe
2008-10-13 20:29:15 ----A---- C:\Windows\M2000Twn.ini
2008-10-13 20:29:14 ----D---- C:\Windows\BisonCam
2008-10-13 20:29:14 ----A---- C:\Windows\system32\BisonRem.dll
2008-10-12 19:15:08 ----D---- C:\Program Files\Vistumbler

======List of files/folders modified in the last 1 months======

2008-11-11 22:09:39 ----D---- C:\Windows\Temp
2008-11-11 22:05:53 ----SHD---- C:\System Volume Information
2008-11-11 19:18:45 ----D---- C:\Windows\Prefetch
2008-11-11 18:30:02 ----D---- C:\Windows\System32
2008-11-11 18:30:02 ----D---- C:\Windows\inf
2008-11-11 18:30:02 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-11-11 09:49:03 ----SHD---- C:\Windows\Installer
2008-11-11 09:48:59 ----D---- C:\ProgramData\Microsoft Help
2008-11-10 17:24:10 ----D---- C:\Windows\system32\drivers
2008-11-10 17:24:06 ----HD---- C:\ProgramData
2008-11-10 17:24:05 ----RD---- C:\Program Files
2008-11-08 21:05:41 ----RSD---- C:\Windows\assembly
2008-11-08 21:05:40 ----D---- C:\Windows\winsxs
2008-11-08 21:05:16 ----D---- C:\Windows
2008-11-08 21:04:43 ----D---- C:\Program Files\Common Files\microsoft shared
2008-11-08 21:04:34 ----SD---- C:\ProgramData\Microsoft
2008-11-08 21:02:54 ----A---- C:\Windows\ODBC.INI
2008-11-08 18:19:40 ----D---- C:\Program Files\Avira
2008-11-08 12:04:07 ----D---- C:\Program Files\SQLite Manager
2008-11-08 01:47:18 ----D---- C:\Users\petar\AppData\Roaming\uTorrent
2008-11-07 13:33:07 ----D---- C:\Windows\Tasks
2008-11-07 13:33:07 ----D---- C:\Windows\system32\Tasks
2008-11-01 09:26:41 ----A---- C:\Windows\system32\cntlm.exe.stackdump
2008-10-30 11:14:34 ----D---- C:\Windows\system32\catroot
2008-10-30 11:13:51 ----D---- C:\Windows\system32\catroot2
2008-10-26 12:01:21 ----D---- C:\Program Files\Microsoft Silverlight
2008-10-20 11:32:39 ----D---- C:\Windows\system32\migration
2008-10-19 17:02:18 ----D---- C:\Users\petar\AppData\Roaming\Wireshark
2008-10-19 16:42:47 ----D---- C:\Program Files\Windows Mail
2008-10-13 20:29:47 ----D---- C:\Windows\system
2008-10-13 20:29:16 ----A---- C:\Windows\win.ini
2008-10-13 20:29:14 ----RSD---- C:\Windows\Media
2008-10-13 20:29:14 ----D---- C:\Windows\twain_32
2008-10-13 20:29:13 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-18 350720]
R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2008-07-01 53256]
R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2008-07-01 39944]
R2 NPF;NetGroup Packet Filter Driver; C:\Windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-02 983552]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-05-07 767488]
R3 Cam5603D;BisonCam, NB Pro; C:\Windows\System32\Drivers\BisonCam.sys [2007-08-20 783272]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-18 14208]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2007-01-15 9728]
R3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-02-02 2385920]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-08-06 124928]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-18 88576]
S3 a5dk59ly;a5dk59ly; C:\Windows\system32\drivers\a5dk59ly.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 Tosrfcom;Tosrfcom; C:\Windows\system32\drivers\Tosrfcom.sys []
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\Windows\system32\DRIVERS\vmnetadapter.sys []
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-02-02 565248]
R2 cntlm;Cntlm Authentication Proxy; C:\Program Files\Cntlm\cygrunsrv.exe [2007-11-23 43008]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-18 21504]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
R2 ProxyPlus;Fortech Proxy+; C:\Program Files\ProxyPlus\ProxyPlus.exe [2008-09-14 2589833]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 125048]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-18 21504]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-07-01 19200]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-18 523776]
S3 JNXXFU;JNXXFU; C:\Users\petar\AppData\Local\Temp\JNXXFU.exe [2008-10-07 506752]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-18 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-18 917504]

-----------------EOF-----------------


info.txt:

info.txt logfile of random's system information tool 1.04 2008-11-11 22:09:49

======Uninstall list======

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Alt.Binz 0.25.0-->C:\Program Files\AltBinz\uninst.exe
Aptana Studio-->C:\dev\Aptana Studio\uninstall.exe
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
BisonCam-->C:\Program Files\InstallShield Installation Information\{4A57592C-FF92-4083-97A9-92783BD5AFB4}\setup.exe -runfromtemp -l0x0009 -removeonly
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
ESET NOD32 Antivirus-->MsiExec.exe /I{3407FD83-0A2F-475E-BE94-34F1FA342C84}
HD Tune 2.55-->"C:\Program Files\HD Tune\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
inSSIDer-->MsiExec.exe /I{2493D564-29FC-42A3-80F8-E6B190F03CA3}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Launchy 2.0-->"C:\Program Files\Launchy\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2003 programski dodatak za preslovljavanje-->MsiExec.exe /I{51312349-0B4D-450E-AFAA-03CC28A9531F}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio MUI (English) 2007-->MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL
Microsoft Office Visio Professional 2007-->MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs-->MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
Paint.NET v3.36-->MsiExec.exe /X{43602F34-1AA3-44FB-AEB2-D08C2C73743F}
Proxy+-->C:\Program Files\ProxyPlus\Uninstall.exe
Python 2.5 ipython-0.8.2-->"C:\dev\Python25\Removeipython.exe" -u "C:\dev\Python25\ipython-wininst.log"
Python 2.5 pyparsing-1.5.0-->MsiExec.exe /I{73A0D6CF-4501-46FF-84AF-1AC7D94DEEEA}
Python 2.5 pyreadline-1.5-->"C:\dev\Python25\Removepyreadline.exe" -u "C:\dev\Python25\pyreadline-wininst.log"
Python 2.5.2-->MsiExec.exe /I{6B976ADF-8AE8-434E-B282-A06C7F624D2F}
RescueTime 1.0.7-->"C:\Program Files\RescueTime\unins000.exe"
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB955936)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1D94099C-2BBA-440E-BD5E-093BBDF8F028}
Security Update for Microsoft Office Excel 2007 (KB955470)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6E8637D8-10D6-4568-AA06-E2706F31685E}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Sid Meier's Alpha Centauri 2000/XP Compatibility Update-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{102E4D60-5A93-4A3C-8105-FE390427C60D}
Sid Meier's Alpha Centauri-->C:\Windows\IsUninst.exe -f"D:\Installed Games\Alpha Centauri\Uninst.isu"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The KMPlayer (remove only)-->"C:\Program Files\The KMPlayer\uninstall.exe"
TortoiseSVN 1.5.2.13595 (32 bit)-->MsiExec.exe /X{687422AC-40E3-4F48-A816-20DC83F98035}
Total Commander (Remove or Repair)-->C:\Program Files\totalcmd\tcuninst.exe
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb957258)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E070CDA4-A8DD-47FA-89A0-F5DA5D5DDFF9}
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
Wireshark 1.0.0-->"C:\Program Files\Wireshark\uninstall.exe"

=====HijackThis Backups=====

O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe wincxh32.rom,CKhRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre\6.0\bin\jusched.exe"

======Security center information======

AV: ESET NOD32 Antivirus 3.0
AS: ESET NOD32 Antivirus 3.0
AS: Windows Defender

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;c:\dev\Python25;c:\dev\Python25\Scripts;c:\dev\django_src\django\bin;C:\Program Files\Graphviz\Bin;C:\Program Files\TortoiseSVN\bin
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.py
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 104 Stepping 1, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=6801
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%

-----------------EOF-----------------

katana
2008-11-11, 23:31
Step 1


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


----------------------------------------------------------- -----------------------------------------------------------
Step 2


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------- -----------------------------------------------------------
Step 3

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
ComboFix Log
How are things running now ?

karadjordje
2008-11-12, 10:51
# MalwareBytes Log

Malwarebytes' Anti-Malware 1.30
Database version: 1385
Windows 6.0.6001 Service Pack 1

12.11.2008 8:54:27
mbam-log-2008-11-12 (08-54-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 201374
Time elapsed: 2 hour(s), 6 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6ff22309-a6ed-462b-abec-877625c012f3} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\petar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4OAQGDX8\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\petar\AppData\Local\Temp\fccaXPhF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


# ComboFix Log

ComboFix 08-11-11.01 - petar 2008-11-12 9:24:23.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1250.1.1033.18.1183 [GMT 1:00]
Running from: d:\_downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-11 22:09 . 2008-11-11 22:09 <DIR> d-------- C:\rsit
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\users\petar\AppData\Roaming\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 17:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-10 17:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-08 21:05 . 2008-11-08 21:05 39 --a------ c:\windows\vbaddin.ini
2008-11-08 18:48 . 2008-11-10 16:23 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-08 18:48 . 2008-11-10 16:23 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-08 18:48 . 2008-11-11 06:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\users\All Users\ESET
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\programdata\ESET
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\program files\ESET
2008-11-03 13:38 . 2008-11-03 13:38 <DIR> d-------- c:\program files\AltBinz
2008-10-30 20:35 . 2008-10-30 20:35 <DIR> d-------- c:\users\petar\AppData\Roaming\PeerNetworking
2008-10-30 11:17 . 2008-08-12 04:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-30 11:17 . 2008-09-18 05:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-30 11:17 . 2008-09-18 05:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-23 18:42 . 2008-11-03 13:37 <DIR> d-------- c:\program files\RapidTyping
2008-10-20 10:45 . 2008-10-20 10:45 <DIR> d-------- c:\program files\MetaGeek
2008-10-20 10:18 . 2008-10-02 02:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-20 10:18 . 2008-10-02 04:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-19 13:43 . 2008-09-18 03:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-19 13:40 . 2008-08-27 02:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-10-19 13:39 . 2008-09-18 06:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-19 13:39 . 2008-09-18 06:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-13 20:32 . 2008-11-12 01:38 4,934 --a------ c:\windows\KernelMessage
2008-10-13 20:29 . 2008-10-13 20:29 <DIR> d-------- c:\windows\BisonCam
2008-10-13 20:29 . 2007-08-20 11:16 783,272 --a------ c:\windows\System32\drivers\BisonCam.sys
2008-10-13 20:29 . 2005-01-14 12:47 180,224 --a------ c:\windows\system\StillDrv.dll
2008-10-13 20:29 . 2006-11-10 19:59 176,128 --a------ c:\windows\System32\BisonRem.dll
2008-10-13 20:29 . 2007-07-30 20:43 172,032 --a------ c:\windows\system\BisonCam.dll
2008-10-13 20:29 . 2007-06-21 18:18 135,168 --a------ c:\windows\system\BisonVfw.dll
2008-10-13 20:29 . 2003-09-22 12:49 15,190 --a------ c:\windows\M2000Twn.ini
2008-10-13 20:29 . 2003-09-22 13:36 13,448 --a------ c:\windows\M2000Twn.src
2008-10-13 20:29 . 2005-12-05 11:08 2,264 --a------ c:\windows\system\S20H0220.csr
2008-10-13 20:29 . 2005-12-05 11:08 2,264 --a------ c:\windows\system\S20F0220.csr
2008-10-12 19:15 . 2008-10-12 19:17 <DIR> d-------- c:\program files\Vistumbler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 08:49 --------- d-----w c:\programdata\Microsoft Help
2008-11-08 17:19 --------- d-----w c:\program files\Avira
2008-11-08 11:04 --------- d-----w c:\program files\SQLite Manager
2008-11-08 00:47 --------- d-----w c:\users\petar\AppData\Roaming\uTorrent
2008-10-26 11:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-19 16:02 --------- d-----w c:\users\petar\AppData\Roaming\Wireshark
2008-10-19 15:42 --------- d-----w c:\program files\Windows Mail
2008-10-13 19:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-11 16:33 --------- d-----w c:\program files\Wireshark
2008-10-11 16:32 --------- d-----w c:\program files\WinPcap
2008-10-10 15:39 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-01 07:58 --------- d-----w c:\program files\Universal Extractor
2008-10-01 07:57 --------- d-----w c:\program files\totalcmd
2008-09-27 17:49 --------- d-----w c:\program files\Microsoft
2008-09-27 16:27 --------- d-----w c:\users\uros\AppData\Roaming\GHISLER
2008-09-27 00:35 --------- d-----w c:\program files\HD Tune
2008-09-15 10:17 --------- d-----w c:\program files\The KMPlayer
2008-09-15 10:12 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-09-15 10:10 --------- d-----w c:\program files\Common Files\Adobe
2008-09-15 08:28 --------- d-----w c:\users\petar\AppData\Roaming\vlc
2008-09-14 13:07 --------- d-----w c:\program files\ProxyPlus
2008-09-14 12:30 --------- d-----w c:\program files\Cntlm
2008-09-14 10:50 --------- d-----w c:\users\sumadinac\AppData\Roaming\Subversion
2008-09-14 10:46 --------- d-----w c:\users\sumadinac\AppData\Roaming\ATI
2008-09-14 10:45 --------- d-----w c:\users\sumadinac\AppData\Roaming\Launchy
2008-09-12 13:08 --------- d-----w c:\users\petar\AppData\Roaming\Aptana
2008-09-12 12:26 --------- d-----w c:\programdata\PowerDesigner 12
2008-09-12 12:24 --------- d-----w c:\programdata\VMware
2008-09-05 21:17 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-07-17 22:50 174 --sha-w c:\program files\desktop.ini
2008-07-31 18:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008073120080801\index.dat
2008-01-18 21:33 397,312 --sha-w c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-05 4608]
"Google Update"="c:\users\petar\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-03-15 32768]
"BsMnt"="c:\windows\BisonCam\BsMnt.exe" [2007-03-15 172032]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

c:\users\petar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RescueTime.lnk - c:\program files\RescueTime\RescueTime.exe [2008-07-23 311296]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-07-20 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0B3E9105-CCFF-4288-A490-72CE09B9F2EA}d:\\installed games\\warcraft iii\\war3.exe"= UDP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"UDP Query User{1C39BD48-FC9E-4632-AEBF-D852C7CED2C0}d:\\installed games\\warcraft iii\\war3.exe"= TCP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"TCP Query User{4BFB51AD-9B9A-4C13-88E8-2581C13C0C98}d:\\installed games\\warcraft iii\\war3.exe"= UDP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"UDP Query User{8B6AC6D0-50AA-4D7E-8BB6-34AB217D8CDD}d:\\installed games\\warcraft iii\\war3.exe"= TCP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"TCP Query User{CA009355-682F-48F1-AE62-B7C373B22A45}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{C5E33D3E-0D15-4E5D-8F32-1658A0F3D686}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{FD71EAF8-265D-4746-BCEA-FAECC691059B}c:\\program files\\totalcmd\\totalcmd.exe"= UDP:c:\program files\totalcmd\totalcmd.exe:Total Commander 32 bit international version, file manager replacement for Windows
"UDP Query User{AA3FCC48-55B6-4754-9694-081B2C0884F5}c:\\program files\\totalcmd\\totalcmd.exe"= TCP:c:\program files\totalcmd\totalcmd.exe:Total Commander 32 bit international version, file manager replacement for Windows
"TCP Query User{873734C3-F61E-40FE-A937-CC314BC40156}c:\\dev\\eclipse\\eclipse za django\\eclipse.exe"= UDP:c:\dev\eclipse\eclipse za django\eclipse.exe:eclipse
"UDP Query User{738F3A48-4F3E-40AE-B1E8-47E234051BC7}c:\\dev\\eclipse\\eclipse za django\\eclipse.exe"= TCP:c:\dev\eclipse\eclipse za django\eclipse.exe:eclipse
"TCP Query User{4DD9E6E6-F772-4D7F-9693-7AD103ED5368}d:\\installed games\\half-life 2 deathmatch\\hl2.exe"= UDP:d:\installed games\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{57FA7DBD-2645-4FB9-A669-3B53201F5C0D}d:\\installed games\\half-life 2 deathmatch\\hl2.exe"= TCP:d:\installed games\half-life 2 deathmatch\hl2.exe:hl2
"{BFB97CF3-104E-4F46-A858-81C3A58B116A}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{BA847A7A-C4C4-443C-920B-2967C88A97DE}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{D571B1B3-3BE9-45E4-B20A-DA51125EF6DD}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= UDP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"UDP Query User{FEBE98F2-7C31-4852-A713-3632C9825109}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= TCP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"TCP Query User{45486315-22E9-4C8E-AB2C-DE4FCDEC972F}c:\\program files\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\program files\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{749BCF2D-B339-48D1-8208-17A414402CD2}c:\\program files\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\program files\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{D45E4009-5D6F-42C2-BA7C-F30C8FB4A376}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{9987AE68-F068-4270-9EFC-EAE3FA88D870}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{9648B265-96E0-4DC7-A1F2-0E51706EF799}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{4FEF5EFF-7FC8-4067-A892-7D173F442ED0}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{1CE0C12A-34F1-463A-87D7-8877651D55D2}c:\\program files\\entensys\\usergate 4.2\\usergate.exe"= UDP:c:\program files\entensys\usergate 4.2\usergate.exe:UserGate Module
"UDP Query User{0ACFDE09-3ADE-40D7-BE0F-C2B75F03DE69}c:\\program files\\entensys\\usergate 4.2\\usergate.exe"= TCP:c:\program files\entensys\usergate 4.2\usergate.exe:UserGate Module
"TCP Query User{A8651596-08B3-482C-AA9F-2E2254C5E731}c:\\program files\\proxyplus\\proxyplus.exe"= UDP:c:\program files\proxyplus\proxyplus.exe:Proxy server & cache for Win/95/98/Me/NT4/NT2000/XP
"UDP Query User{D1DE02C6-B391-4A83-993A-89A196AD709B}c:\\program files\\proxyplus\\proxyplus.exe"= TCP:c:\program files\proxyplus\proxyplus.exe:Proxy server & cache for Win/95/98/Me/NT4/NT2000/XP
"TCP Query User{2FA5DFE4-85F2-4401-90A3-AE9411BCD8A0}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{18E322BF-A810-4331-AA97-1CA7B48D084F}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"{7FBB7EBF-5031-4022-BAE3-A41AE8347256}"= UDP:5370:LocalSubnet:LocalSubnet:Jaxer
"{2DF71CD0-61EA-4D49-9A8D-55F072E78360}"= UDP:5371:LocalSubnet:LocalSubnet:Jaxer
"{B75941D6-5800-4D82-9C87-D07512B567E7}"= UDP:5374:LocalSubnet:LocalSubnet:Jaxer
"{54E49439-B531-4FFA-908D-1FC913BA47B9}"= UDP:5375:LocalSubnet:LocalSubnet:Jaxer
"{0533FDFC-471A-4BB7-9606-F1978F332F64}"= UDP:5376:LocalSubnet:LocalSubnet:Jaxer
"{CBE44773-812F-4DE1-A71B-C5F248C1405F}"= UDP:5377:LocalSubnet:LocalSubnet:Jaxer
"{DEBBBB98-D4E4-40FA-B7B4-DF69C255A8B3}"= UDP:5378:LocalSubnet:LocalSubnet:Jaxer
"{3021EF9C-2B8F-4F82-808C-C178BC8E16AF}"= UDP:5379:LocalSubnet:LocalSubnet:Jaxer
"{39D3C3EF-9EDD-4E8F-8663-C686FC617628}"= UDP:5380:LocalSubnet:LocalSubnet:Jaxer
"{9E4F62C6-8158-414D-A994-C4AC8A083538}"= UDP:5381:LocalSubnet:LocalSubnet:Jaxer
"{A0E8CE1D-2481-409D-A3F0-95F4B97AF55E}"= UDP:5382:LocalSubnet:LocalSubnet:Jaxer
"{A25E5F66-0ED0-4259-984C-47030240A0FC}"= UDP:5383:LocalSubnet:LocalSubnet:Jaxer
"{F6FFA344-FD89-4163-8187-6759CA22B601}"= UDP:8081:LocalSubnet:LocalSubnet:Apache

R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 7680]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-11-14 34176]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 cntlm;Cntlm Authentication Proxy;c:\program files\Cntlm\cygrunsrv.exe [2007-11-23 43008]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R2 ProxyPlus;Fortech Proxy+;c:\program files\ProxyPlus\ProxyPlus.exe [2008-09-14 2589833]
S3 JNXXFU;JNXXFU;c:\users\petar\AppData\Local\Temp\JNXXFU.exe [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}]
\shell\Auto\command - G:\Autorun.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}]
\shell\AutoRun\command - F:\SETUP.EXE
\shell\configure\command - F:\SETUP.EXE
\shell\install\command - F:\SETUP.EXE

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {5EE7B1A3-BC56-25B9-D7BE-82BF7C75ACDB} /qb
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\petar\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-07 13:33]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSServer - c:\users\petar\AppData\Local\Temp\jkkICvVp.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\petar\AppData\Roaming\Mozilla\Firefox\Profiles\xi1xs3kj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjava11.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjava12.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjava13.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjava14.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjava32.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npjpi160_07.dll
FF -: plugin - c:\program files\Java\jre\6.0\bin\npoji610.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30226.2\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\users\petar\AppData\Local\Google\Update\1.2.131.27\npGoogleOneClick6.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 09:26:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 9:28:20
ComboFix-quarantined-files.txt 2008-11-12 08:28:02

Pre-Run: 11.343.622.144 bytes free
Post-Run: 11,365,588,992 bytes free

239 --- E O F --- 2008-11-11 08:49:04


# Fresh HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:19, on 12.11.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\BisonCam\BisonHK.exe
C:\Windows\BisonCam\BsMnt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\RescueTime\RescueTime.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4480
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;127.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre\6.0\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BisonHK] C:\Windows\BisonCam\BisonHK.exe
O4 - HKLM\..\Run: [BsMnt] C:\Windows\BisonCam\BsMnt.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Google Update] "C:\Users\petar\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4042144296-3311917591-612435275-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'uros')
O4 - Startup: RescueTime.lnk = C:\Program Files\RescueTime\RescueTime.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\jre\6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Cntlm Authentication Proxy (cntlm) - Unknown owner - C:\Program Files\Cntlm\cygrunsrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: JNXXFU - Unknown owner - C:\Users\petar\AppData\Local\Temp\JNXXFU.exe (file missing)
O23 - Service: Fortech Proxy+ (ProxyPlus) - FORTECH Ltd. - C:\Program Files\ProxyPlus\ProxyPlus.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 4913 bytes


# How are things running now?
Same as before, which was ok

katana
2008-11-12, 12:45
Are you hosting a web site on your machine ?

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



Driver::
JNXXFU
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{CA009355-682F-48F1-AE62-B7C373B22A45}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{C5E33D3E-0D15-4E5D-8F32-1658A0F3D686}c:\\program files\\utorrent\\utorrent.exe"=-
"{BFB97CF3-104E-4F46-A858-81C3A58B116A}"=-
"{BA847A7A-C4C4-443C-920B-2967C88A97DE}"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}]


Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

karadjordje
2008-11-13, 13:12
# Are you hosting a web site on your machine?
No, but I am a web developer (among other things) and I have a couple of different servers (not just web) installed on this laptop.

ComboFix log:

ComboFix 08-11-11.01 - petar 2008-11-13 0:02:23.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1250.1.1033.18.1184 [GMT 1:00]
Running from: c:\users\petar\Desktop\ComboFix.exe
Command switches used :: c:\users\petar\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_JNXXFU


((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-11 22:09 . 2008-11-11 22:09 <DIR> d-------- C:\rsit
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\users\petar\AppData\Roaming\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-10 17:24 . 2008-11-10 17:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 17:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-10 17:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-08 21:05 . 2008-11-08 21:05 39 --a------ c:\windows\vbaddin.ini
2008-11-08 18:48 . 2008-11-10 16:23 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-08 18:48 . 2008-11-10 16:23 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-08 18:48 . 2008-11-11 06:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\users\All Users\ESET
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\programdata\ESET
2008-11-08 18:22 . 2008-11-08 18:22 <DIR> d-------- c:\program files\ESET
2008-11-03 13:38 . 2008-11-03 13:38 <DIR> d-------- c:\program files\AltBinz
2008-10-30 20:35 . 2008-10-30 20:35 <DIR> d-------- c:\users\petar\AppData\Roaming\PeerNetworking
2008-10-30 11:17 . 2008-08-12 04:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-30 11:17 . 2008-09-18 05:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-30 11:17 . 2008-09-18 05:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-23 18:42 . 2008-11-03 13:37 <DIR> d-------- c:\program files\RapidTyping
2008-10-20 10:45 . 2008-10-20 10:45 <DIR> d-------- c:\program files\MetaGeek
2008-10-20 10:18 . 2008-10-02 02:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-20 10:18 . 2008-10-02 04:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-19 13:43 . 2008-09-18 03:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-19 13:40 . 2008-08-27 02:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-10-19 13:39 . 2008-09-18 06:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-19 13:39 . 2008-09-18 06:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-13 20:32 . 2008-11-12 01:38 4,934 --a------ c:\windows\KernelMessage
2008-10-13 20:29 . 2008-10-13 20:29 <DIR> d-------- c:\windows\BisonCam
2008-10-13 20:29 . 2007-08-20 11:16 783,272 --a------ c:\windows\System32\drivers\BisonCam.sys
2008-10-13 20:29 . 2005-01-14 12:47 180,224 --a------ c:\windows\system\StillDrv.dll
2008-10-13 20:29 . 2006-11-10 19:59 176,128 --a------ c:\windows\System32\BisonRem.dll
2008-10-13 20:29 . 2007-07-30 20:43 172,032 --a------ c:\windows\system\BisonCam.dll
2008-10-13 20:29 . 2007-06-21 18:18 135,168 --a------ c:\windows\system\BisonVfw.dll
2008-10-13 20:29 . 2003-09-22 12:49 15,190 --a------ c:\windows\M2000Twn.ini
2008-10-13 20:29 . 2003-09-22 13:36 13,448 --a------ c:\windows\M2000Twn.src
2008-10-13 20:29 . 2005-12-05 11:08 2,264 --a------ c:\windows\system\S20H0220.csr
2008-10-13 20:29 . 2005-12-05 11:08 2,264 --a------ c:\windows\system\S20F0220.csr
2008-10-12 19:15 . 2008-10-12 19:17 <DIR> d-------- c:\program files\Vistumbler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 08:49 --------- d-----w c:\programdata\Microsoft Help
2008-11-08 17:19 --------- d-----w c:\program files\Avira
2008-11-08 11:04 --------- d-----w c:\program files\SQLite Manager
2008-11-08 00:47 --------- d-----w c:\users\petar\AppData\Roaming\uTorrent
2008-10-26 11:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-19 16:02 --------- d-----w c:\users\petar\AppData\Roaming\Wireshark
2008-10-19 15:42 --------- d-----w c:\program files\Windows Mail
2008-10-13 19:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-11 16:33 --------- d-----w c:\program files\Wireshark
2008-10-11 16:32 --------- d-----w c:\program files\WinPcap
2008-10-10 15:39 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-01 07:58 --------- d-----w c:\program files\Universal Extractor
2008-10-01 07:57 --------- d-----w c:\program files\totalcmd
2008-09-27 17:49 --------- d-----w c:\program files\Microsoft
2008-09-27 16:27 --------- d-----w c:\users\uros\AppData\Roaming\GHISLER
2008-09-27 00:35 --------- d-----w c:\program files\HD Tune
2008-09-15 10:17 --------- d-----w c:\program files\The KMPlayer
2008-09-15 10:12 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-09-15 10:10 --------- d-----w c:\program files\Common Files\Adobe
2008-09-15 08:28 --------- d-----w c:\users\petar\AppData\Roaming\vlc
2008-09-14 13:07 --------- d-----w c:\program files\ProxyPlus
2008-09-14 12:30 --------- d-----w c:\program files\Cntlm
2008-09-14 10:50 --------- d-----w c:\users\sumadinac\AppData\Roaming\Subversion
2008-09-14 10:46 --------- d-----w c:\users\sumadinac\AppData\Roaming\ATI
2008-09-14 10:45 --------- d-----w c:\users\sumadinac\AppData\Roaming\Launchy
2008-09-12 13:08 --------- d-----w c:\users\petar\AppData\Roaming\Aptana
2008-09-12 12:26 --------- d-----w c:\programdata\PowerDesigner 12
2008-09-12 12:24 --------- d-----w c:\programdata\VMware
2008-09-05 21:17 107,888 ----a-w c:\windows\System32\CmdLineExt.dll
2008-07-17 22:50 174 --sha-w c:\program files\desktop.ini
2008-07-31 18:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008073120080801\index.dat
2008-01-18 21:33 397,312 --sha-w c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_ 9.27.03,74 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-11 05:10:23 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-12 23:07:33 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-12 23:07:33 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-11-11 05:10:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-12 23:07:33 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-11-12 08:20:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-12 08:32:47 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-12 08:20:21 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-12 08:32:47 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-12 08:20:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-12 08:32:47 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-05 4608]
"Google Update"="c:\users\petar\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2007-03-15 32768]
"BsMnt"="c:\windows\BisonCam\BsMnt.exe" [2007-03-15 172032]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

c:\users\petar\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RescueTime.lnk - c:\program files\RescueTime\RescueTime.exe [2008-07-23 311296]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-07-20 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0B3E9105-CCFF-4288-A490-72CE09B9F2EA}d:\\installed games\\warcraft iii\\war3.exe"= UDP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"UDP Query User{1C39BD48-FC9E-4632-AEBF-D852C7CED2C0}d:\\installed games\\warcraft iii\\war3.exe"= TCP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"TCP Query User{4BFB51AD-9B9A-4C13-88E8-2581C13C0C98}d:\\installed games\\warcraft iii\\war3.exe"= UDP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"UDP Query User{8B6AC6D0-50AA-4D7E-8BB6-34AB217D8CDD}d:\\installed games\\warcraft iii\\war3.exe"= TCP:d:\installed games\warcraft iii\war3.exe:Warcraft III
"TCP Query User{FD71EAF8-265D-4746-BCEA-FAECC691059B}c:\\program files\\totalcmd\\totalcmd.exe"= UDP:c:\program files\totalcmd\totalcmd.exe:Total Commander 32 bit international version, file manager replacement for Windows
"UDP Query User{AA3FCC48-55B6-4754-9694-081B2C0884F5}c:\\program files\\totalcmd\\totalcmd.exe"= TCP:c:\program files\totalcmd\totalcmd.exe:Total Commander 32 bit international version, file manager replacement for Windows
"TCP Query User{873734C3-F61E-40FE-A937-CC314BC40156}c:\\dev\\eclipse\\eclipse za django\\eclipse.exe"= UDP:c:\dev\eclipse\eclipse za django\eclipse.exe:eclipse
"UDP Query User{738F3A48-4F3E-40AE-B1E8-47E234051BC7}c:\\dev\\eclipse\\eclipse za django\\eclipse.exe"= TCP:c:\dev\eclipse\eclipse za django\eclipse.exe:eclipse
"TCP Query User{4DD9E6E6-F772-4D7F-9693-7AD103ED5368}d:\\installed games\\half-life 2 deathmatch\\hl2.exe"= UDP:d:\installed games\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{57FA7DBD-2645-4FB9-A669-3B53201F5C0D}d:\\installed games\\half-life 2 deathmatch\\hl2.exe"= TCP:d:\installed games\half-life 2 deathmatch\hl2.exe:hl2
"TCP Query User{D571B1B3-3BE9-45E4-B20A-DA51125EF6DD}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= UDP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"UDP Query User{FEBE98F2-7C31-4852-A713-3632C9825109}c:\\program files\\real alternative\\media player classic\\mplayerc.exe"= TCP:c:\program files\real alternative\media player classic\mplayerc.exe:Media Player Classic
"TCP Query User{45486315-22E9-4C8E-AB2C-DE4FCDEC972F}c:\\program files\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\program files\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{749BCF2D-B339-48D1-8208-17A414402CD2}c:\\program files\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\program files\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{D45E4009-5D6F-42C2-BA7C-F30C8FB4A376}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{9987AE68-F068-4270-9EFC-EAE3FA88D870}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{9648B265-96E0-4DC7-A1F2-0E51706EF799}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{4FEF5EFF-7FC8-4067-A892-7D173F442ED0}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{1CE0C12A-34F1-463A-87D7-8877651D55D2}c:\\program files\\entensys\\usergate 4.2\\usergate.exe"= UDP:c:\program files\entensys\usergate 4.2\usergate.exe:UserGate Module
"UDP Query User{0ACFDE09-3ADE-40D7-BE0F-C2B75F03DE69}c:\\program files\\entensys\\usergate 4.2\\usergate.exe"= TCP:c:\program files\entensys\usergate 4.2\usergate.exe:UserGate Module
"TCP Query User{A8651596-08B3-482C-AA9F-2E2254C5E731}c:\\program files\\proxyplus\\proxyplus.exe"= UDP:c:\program files\proxyplus\proxyplus.exe:Proxy server & cache for Win/95/98/Me/NT4/NT2000/XP
"UDP Query User{D1DE02C6-B391-4A83-993A-89A196AD709B}c:\\program files\\proxyplus\\proxyplus.exe"= TCP:c:\program files\proxyplus\proxyplus.exe:Proxy server & cache for Win/95/98/Me/NT4/NT2000/XP
"TCP Query User{2FA5DFE4-85F2-4401-90A3-AE9411BCD8A0}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= UDP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{18E322BF-A810-4331-AA97-1CA7B48D084F}c:\\dev\\aptana studio\\jre\\bin\\javaw.exe"= TCP:c:\dev\aptana studio\jre\bin\javaw.exe:Java(TM) Platform SE binary
"{7FBB7EBF-5031-4022-BAE3-A41AE8347256}"= UDP:5370:LocalSubnet:LocalSubnet:Jaxer
"{2DF71CD0-61EA-4D49-9A8D-55F072E78360}"= UDP:5371:LocalSubnet:LocalSubnet:Jaxer
"{B75941D6-5800-4D82-9C87-D07512B567E7}"= UDP:5374:LocalSubnet:LocalSubnet:Jaxer
"{54E49439-B531-4FFA-908D-1FC913BA47B9}"= UDP:5375:LocalSubnet:LocalSubnet:Jaxer
"{0533FDFC-471A-4BB7-9606-F1978F332F64}"= UDP:5376:LocalSubnet:LocalSubnet:Jaxer
"{CBE44773-812F-4DE1-A71B-C5F248C1405F}"= UDP:5377:LocalSubnet:LocalSubnet:Jaxer
"{DEBBBB98-D4E4-40FA-B7B4-DF69C255A8B3}"= UDP:5378:LocalSubnet:LocalSubnet:Jaxer
"{3021EF9C-2B8F-4F82-808C-C178BC8E16AF}"= UDP:5379:LocalSubnet:LocalSubnet:Jaxer
"{39D3C3EF-9EDD-4E8F-8663-C686FC617628}"= UDP:5380:LocalSubnet:LocalSubnet:Jaxer
"{9E4F62C6-8158-414D-A994-C4AC8A083538}"= UDP:5381:LocalSubnet:LocalSubnet:Jaxer
"{A0E8CE1D-2481-409D-A3F0-95F4B97AF55E}"= UDP:5382:LocalSubnet:LocalSubnet:Jaxer
"{A25E5F66-0ED0-4259-984C-47030240A0FC}"= UDP:5383:LocalSubnet:LocalSubnet:Jaxer
"{F6FFA344-FD89-4163-8187-6759CA22B601}"= UDP:8081:LocalSubnet:LocalSubnet:Apache

R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 7680]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-11-14 34176]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R2 cntlm;Cntlm Authentication Proxy;c:\program files\Cntlm\cygrunsrv.exe [2007-11-23 43008]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R2 ProxyPlus;Fortech Proxy+;c:\program files\ProxyPlus\ProxyPlus.exe [2008-09-14 2589833]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}]
\shell\Auto\command - G:\Autorun.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}]
\shell\AutoRun\command - F:\SETUP.EXE
\shell\configure\command - F:\SETUP.EXE
\shell\install\command - F:\SETUP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {5EE7B1A3-BC56-25B9-D7BE-82BF7C75ACDB} /qb
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\petar\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-07 13:33]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 00:07:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Cntlm\cntlm.exe
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\System32\conime.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-11-13 0:13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 23:12:55
ComboFix2.txt 2008-11-12 08:28:21

Pre-Run: 11.864.813.568 bytes free
Post-Run: 11,604,897,792 bytes free

255 --- E O F --- 2008-11-11 08:49:04


I couldn't run Kaspersky Online Scanner probably because I'm behind an ISA based proxy, NAT and firewall. I did run NOD32 on my laptop and he didn't detect any threats.

katana
2008-11-13, 14:17
That looks fine then,

One final thing to do ...



OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )



:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}]
:Files
:Commands
[Purity]
[EmptyTemp]



Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.


Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

karadjordje
2008-11-13, 16:33
Log:

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ef4bc89-9e92-11dd-ba24-0019db3e575e}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf3f1923-5f28-11dd-8754-0019db3e575e}\\ deleted successfully.
========== FILES ==========
========== COMMANDS ==========
File delete failed. C:\Users\petar\AppData\Local\Temp\swt-mozilla-30612.tmp\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\swt-mozilla-30612.tmp\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\swt-mozilla-30612.tmp\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\swt-mozilla-30612.tmp\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\swt-mozilla-30612.tmp\history.dat scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\Low\~DF1011.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\Low\~DF1017.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\hsperfdata_petar\4796 scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\etilqs_fIZ2abu6gIk3rvB87q8L scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Temp\jetty_preview_server.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\petar\AppData\Local\Mozilla\Firefox\Profiles\xi1xs3kj.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11132008_144518

I've had some programs running (Firefox, Aptana IDE, Total Commander, Internet Explorer 7, ...) because I'm debugging something now and I can't close them, or restart my PC. Most of the files pending deletion are known to me (most of them belong Firefox and Aptana).

Should I run OTMoveIt again later, when I'm finished with my work?

katana
2008-11-13, 16:49
Should I run OTMoveIt again later, when I'm finished with my work?
Not needed, It will auto delete the files on reboot.


Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up




This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

You can also delete any logs we have produced, and empty your Recycle bin.





The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

katana
2008-11-19, 17:15
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.