devirusare pc

#1
magicuzor

Posted 11 April 2010 - 12:10

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

Salut, am si eu niste conlocatari prin pc care nu ma lasa in pace. Aseara disparut un hard intreg, 160 gb de filme si poze mai ales cu valoare personala s-au dus. NU stiu de unde, cum, de ce. Nu prea am dat pe acasa in ultimile zile, fratele meu mai mic se joaca GTA in care am gasit un virus(nu retin numele), in rest, registrii dezactivati, task manager la fel, ceva care-si pune exceptii prin firewall si inca un malware care revine dupa reinstall/format.

Ce trebuie sa fac, ce logouri sa postez?
Multzam.

Back to top

#2
Official

Posted 11 April 2010 - 12:16

Forzza ASA!

Grup: Senior Members
Posts: 3,327
Înscris: 27.03.2009

Posteaza un log Hijack-This.

Back to top

#3
reventon

Posted 11 April 2010 - 12:48

Senior Member

Grup: Senior Members
Posts: 3,743
Înscris: 19.12.2008

Cel mai avantajos pentru tine ar fii sa iti reinstalezi sistemul de operare dupa care un antivirus care sa includa firewall, antispyware etc..

Daca ai toate problemele astea ar fii destul de greu sa scapi de ele si sa ramai intact.

Quote
si inca un malware care revine dupa reinstall/format.
adica?

Edited by crysty2k5, 11 April 2010 - 13:13.
o zi pauza pentru astfel de sfaturi

Back to top

#4
rootkit

Posted 11 April 2010 - 14:13

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Asteptam log-ul aici.

Back to top

#5
magicuzor

Posted 25 April 2010 - 13:24

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

salut. asta e logoul

Logfile of Trend Micro HiJackThis v2.0.4
Scan saved at 07:23:16, on 09.01.2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\shost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Em\LOCALS~1\Temp\lpqire.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\cmd.exe
C:\DOCUME~1\Em\LOCALS~1\Temp\svchost.exe
c:\windows\system32\wuaucldt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Em\Local Settings\Application Data\ave.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUMENTS AND SETTINGS\EM\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS(2).EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Daemon Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll (file missing)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [shost] C:\Windows\system32\shost.exe
O4 - HKLM\..\Run: [TXQK Agent] C:\WINDOWS\system32\28463\TXQK.exe
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Em\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [syncman] c:\documents and settings\em\wuaucldt.exe
O4 - HKCU\..\Run: [d3davilibrary] rundll32.exe "C:\Documents and Settings\Em\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll", DllInit
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5444 bytes

Back to top

#6
rootkit

Posted 25 April 2010 - 13:51

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Bifeaza si apasa Fix checked in HiJackThis pentru:

Quote

O4 - HKLM\..\Run: [shost] C:\Windows\system32\shost.exe
O4 - HKLM\..\Run: [TXQK Agent] C:\WINDOWS\system32\28463\TXQK.exe
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [syncman] c:\documents and settings\em\wuaucldt.exe
O4 - HKCU\..\Run: [d3davilibrary] rundll32.exe "C:\Documents and Settings\Em\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll", DllInit
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Navigheaza in:

Quote

C:\WINDOWS\system32\drivers\etc

Si sterge fisierul hosts.

Ruleaza asta:

http://download.bleepingcomputer.com/grinler/rkill.com

Asteapta sa termine acel proces.

Descarca: ComboFix si salveaza-l pe Desktop.

Creeaza un fisier nou de tip .txt cu Notepad si scrie in el ce e mai jos in citat:

Quote

File::
C:\Windows\system32\shost.exe
C:\DOCUME~1\Em\LOCALS~1\Temp\lpqire.exe
C:\DOCUME~1\Em\LOCALS~1\Temp\svchost.exe
C:\Documents and Settings\Em\Local Settings\Application Data\ave.exe
C:\WINDOWS\system32\28463\TXQK.exe
C:\WINDOWS\system32\regedit.exe
c:\documents and settings\em\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
C:\Documents and Settings\Em\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll

Denumeste fisierul CFScript.txt apoi trage-l peste ComboFix.exe asa cum e aratat in poza de mai jos.

[ http://users.telenet.be/bluepatchy/miekiemoes/images/CFScript.gif - Pentru incarcare in pagina (embed) Click aici ]
Apoi asigura-te ca ai inchis toate programele care ruleaza (Yahoo Messenger, MozilaFirefox, etc) si ruleaza ComboFix. Te va intreba daca sa inceapa sa curete sistemul. Confirma cu Yes de fiecare data. Nu-l opri in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara, dar nu te ingrijora.
La sfarsit va afisa rezultatele scanarii. Salveaza acel fisier si posteaza continutul AICI.

Edited by crysty2k5, 25 April 2010 - 13:53.

Back to top

#7
magicuzor

Posted 25 April 2010 - 15:13

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

salut, am urmat pasii ceruti de tine.
multumesc pentru ajutor dude

logo rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Em on 09.01.2003 at  8:52:39.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Em\Local Settings\Application Data\ave.exe
C:\Documents and Settings\Em\My Documents\Downloads\rkill.com

Rkill completed on 09.01.2003  at  8:52:42.

---------------------------------------------------------

ComboFix 10-04-21.01 - Em 09.01.2003   9:01.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.767.609 [GMT 2:00]
Running from: c:\documents and settings\Em\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Em\Desktop\CFScript.txt.txt

FILE ::
"c:\docume~1\Em\LOCALS~1\Temp\lpqire.exe"
"c:\docume~1\Em\LOCALS~1\Temp\svchost.exe"
"c:\documents and settings\Em\Local Settings\Application Data\ave.exe"
"c:\documents and settings\Em\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll"
"c:\documents and settings\em\wuaucldt.exe"
"c:\windows\system32\28463\TXQK.exe"
"c:\windows\system32\regedit.exe"
"c:\windows\system32\shost.exe"
"c:\windows\system32\wuaucldt.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Em\Local Settings\Application Data\ave.exe
c:\documents and settings\Em\Local Settings\Application Data\d3davilibrary\d3davilibrary.dll
c:\documents and settings\Em\wuaucldt.exe
C:\Shost.exe
c:\windows\system32\shost.exe
c:\windows\system32\wuaucldt.exe

c:\windows\system32\msgsvc.dll . . . is infected!!

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{CACE61B6-AA71-4DC6-B30E-D9F0BB29A408}\RP27\A0029937.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5

(((((((((((((((((((((((((   Files Created from 2002-12-09 to 2003-01-09  )))))))))))))))))))))))))))))))
.

2010-04-10 12:39 . 2010-04-10 12:39 -------- d-----w- c:\program files\Common Files\Java
2010-04-10 12:39 . 2010-04-10 12:39 503808 ----a-w- c:\documents and settings\Em\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3bfa0795-n\msvcp71.dll
2010-04-10 12:39 . 2010-04-10 12:39 499712 ----a-w- c:\documents and settings\Em\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3bfa0795-n\jmc.dll
2010-04-10 12:39 . 2010-04-10 12:39 348160 ----a-w- c:\documents and settings\Em\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3bfa0795-n\msvcr71.dll
2010-04-10 12:39 . 2010-04-10 12:39 61440 ----a-w- c:\documents and settings\Em\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-36f8da6f-n\decora-sse.dll
2010-04-10 12:39 . 2010-04-10 12:39 12800 ----a-w- c:\documents and settings\Em\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-36f8da6f-n\decora-d3d.dll
2010-04-10 12:38 . 2010-04-10 12:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 12:38 . 2010-04-10 12:38 -------- d-----w- c:\program files\Java
2010-04-08 17:55 . 2001-08-17 19:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-08 17:55 . 2004-08-03 21:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-08 17:55 . 2004-08-03 19:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-08 17:55 . 2004-08-03 19:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-04-06 10:37 . 2010-04-06 10:38 -------- d-----w- c:\documents and settings\Em\Local Settings\Application Data\Adobe
2010-04-05 20:25 . 2010-04-05 20:25 -------- d-----w- c:\program files\ReflexiveArcade
2010-04-05 15:55 . 2010-04-05 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\InterAction studios
2010-04-03 14:24 . 2010-04-03 14:24 -------- d-----w- c:\program files\DAEMON Tools
2010-04-02 05:38 . 2003-01-09 06:38 -------- d-----w- c:\documents and settings\Em\Local Settings\Application Data\AskToolbar
2010-04-02 05:38 . 2010-04-02 05:38 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-02 05:37 . 2010-04-02 05:42 -------- d-----w- c:\documents and settings\Em\Application Data\DAEMON Tools Lite
2010-04-02 05:37 . 2010-04-02 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-04-02 05:34 . 2010-04-02 05:34 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-04-02 05:33 . 2004-08-03 20:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2006-11-20 08:50 . 2006-11-20 08:50 47104 ----a-w- c:\windows\system32\uWDF.exe
2006-11-20 08:49 . 2006-11-20 08:49 1497088 -c--a-w- c:\windows\system32\dllcache\shdocvw.dll
2006-11-20 08:48 . 2006-11-20 08:48 245248 -c--a-w- c:\windows\system32\dllcache\migwiz.exe
2006-10-26 12:10 . 2006-10-26 12:10 1190688 ----a-w- c:\windows\system32\FM20.DLL
2006-10-26 12:10 . 2006-10-26 12:10 33088 ----a-w- c:\windows\system32\FM20ENU.DLL
2006-10-26 11:45 . 2006-10-26 11:45 293376 ----a-w- c:\windows\system32\WISPTIS.EXE
2006-10-26 11:45 . 2006-10-26 11:45 207360 ----a-w- c:\windows\system32\INKED.DLL
2006-08-22 13:32 . 2006-11-20 08:57 52736 ----a-w- c:\windows\system32\wzcsapi.dll
2006-08-22 13:32 . 2006-11-20 08:57 476160 ----a-w- c:\windows\system32\wzcsvc.dll
2006-08-22 09:53 . 2006-11-20 08:57 14592 ----a-w- c:\windows\system32\drivers\ndisuio.sys
2006-07-24 08:50 . 2006-07-24 08:50 47920 ----a-w- c:\windows\system32\VBAME.DLL
2006-07-24 08:50 . 2006-07-24 08:50 39728 ----a-w- c:\windows\system32\SCP32.DLL
2006-07-24 08:50 . 2006-07-24 08:50 125744 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2006-05-12 04:03 . 2006-05-12 04:03 6144 ----a-w- c:\windows\system32\kbdpash.dll
2006-05-12 04:03 . 2006-05-12 04:03 6144 ----a-w- c:\windows\system32\kbdnepr.dll
2006-05-12 04:03 . 2006-05-12 04:03 6144 ----a-w- c:\windows\system32\kbdiultn.dll
2006-05-12 04:03 . 2006-05-12 04:03 6144 ----a-w- c:\windows\system32\kbdbhc.dll
2006-04-12 01:27 . 2006-11-20 08:57 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-11-05 01:55 . 2005-11-04 23:55 48768 -c--a-w- c:\windows\system32\dllcache\stream.sys
2005-11-05 01:55 . 2005-11-04 23:55 48768 ----a-w- c:\windows\system32\drivers\stream.sys
2005-05-10 23:51 . 2005-05-10 23:51 75776 -c--a-w- c:\windows\system32\dllcache\telnet.exe
2005-05-10 23:51 . 2005-05-10 23:51 75776 ----a-w- c:\windows\system32\telnet.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 14:25 . 2005-01-03 00:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-03 09:15 . 2005-01-02 22:59 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-02 15:36 . 2005-01-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-29 22:46 . 2005-01-02 23:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2005-01-02 23:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 19:49 . 2002-12-31 22:29 66048 ----a-w- c:\documents and settings\Em\Application Data\Mozilla\Firefox\Profiles\aqr7pnbl.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
2009-12-14 15:52 . 2005-01-03 00:17 681200 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2007-03-07 23:51 . 2005-01-03 00:09 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2007-03-07 23:51 . 2005-01-03 00:09 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2007-03-07 23:51 . 2005-01-03 00:09 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2007-03-07 23:51 . 2005-01-03 00:09 129784 ------w- c:\windows\system32\pxafs.dll
2006-11-20 08:51 . 2006-11-20 08:51 66560 ----a-w- c:\windows\system32\wpdmtpus.dll
2006-11-20 08:50 . 2006-11-20 08:50 38912 ----a-w- c:\windows\system32\wdfmgr.exe
2006-11-20 08:49 . 2006-11-20 08:49 985088 ----a-w- c:\windows\system32\setupapi.dll
2006-11-20 08:48 . 2006-11-20 08:48 726528 ----a-w- c:\windows\system32\lsasrv.dll
2006-10-26 17:56 . 2005-01-03 00:06 32592 ----a-w- c:\windows\system32\msonpmon.dll
2006-07-12 12:50 . 2005-01-03 00:24 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2006-06-14 08:17 . 2005-01-03 00:25 82944 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2006-06-14 07:50 . 2005-01-03 00:25 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2006-06-14 07:50 . 2005-01-03 00:25 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2006-06-01 17:09 . 2005-01-03 00:13 208896 ----a-w- c:\windows\system32\NVUNINST.EXE
2005-05-27 22:14 . 2005-01-03 00:25 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2005-01-03 00:34 . 2005-01-03 00:34 -------- d-----w- c:\documents and settings\Em\Application Data\Yahoo!
2005-01-03 00:24 . 2005-01-03 00:24 -------- d-----w- c:\program files\Realtek Sound Manager
2005-01-03 00:24 . 2005-01-03 00:24 -------- d-----w- c:\program files\AvRack
2005-01-03 00:24 . 2005-01-03 00:13 -------- d-----w- c:\program files\Common Files\InstallShield
2005-01-03 00:23 . 2005-01-03 00:23 -------- d-----w- c:\program files\VIA
2005-01-03 00:17 . 2005-01-03 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2005-01-03 00:17 . 2005-01-03 00:16 -------- d-----w- c:\program files\Yahoo!
2005-01-03 00:14 . 2005-01-03 00:14 -------- d-----w- c:\program files\MPlayer
2005-01-03 00:12 . 2005-01-03 00:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2005-01-03 00:11 . 2005-01-03 00:11 -------- d-----w- c:\program files\Common Files\Adobe
2005-01-03 00:10 . 2005-01-03 00:10 -------- d-----w- c:\program files\Ask.com
2005-01-03 00:10 . 2005-01-03 00:10 -------- d-----w- c:\program files\uTorrent
2005-01-03 00:10 . 2005-01-03 00:09 -------- d-----w- c:\documents and settings\Em\Application Data\Winamp
2005-01-03 00:09 . 2005-01-03 00:09 -------- d-----w- c:\program files\Winamp
2005-01-03 00:08 . 2005-01-03 00:08 -------- d-----w- c:\program files\VideoLAN
2005-01-03 00:08 . 2005-01-03 00:08 0 ----a-w- c:\windows\nsreg.dat
2005-01-03 00:05 . 2005-01-03 00:05 -------- d-----w- c:\program files\Microsoft Works
2005-01-03 00:05 . 2005-01-03 00:05 -------- d-----w- c:\program files\MSBuild
2005-01-02 23:13 . 2005-01-02 23:13 -------- d-----w- c:\documents and settings\Em\Application Data\Malwarebytes
2005-01-02 23:13 . 2005-01-02 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2005-01-02 23:13 . 2005-01-02 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2005-01-02 23:12 . 2005-01-02 23:12 461824 ----a-r- c:\documents and settings\Em\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2005-01-02 23:01 . 2005-01-02 23:01 -------- d-----w- c:\program files\microsoft frontpage
2005-01-02 22:53 . 2005-01-02 22:53 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2005-01-02 22:53 . 2005-01-02 22:53 -------- d-----w- c:\program files\Windows Media Connect 2
2004-08-04 01:03 . 2005-01-03 00:41 1042903 ----a-r- c:\windows\SET3.tmp
2004-08-04 00:58 . 2005-01-03 00:41 13753 ----a-r- c:\windows\SET8.tmp
2004-08-04 00:57 . 2005-01-03 00:41 1086058 ----a-r- c:\windows\SET4.tmp
2004-08-04 00:56 . 2005-01-03 00:45 74240 ----a-w- c:\windows\system32\usbui.dll
2004-08-04 00:56 . 2005-01-03 00:42 74752 ----a-w- c:\windows\system32\storprop.dll
2004-08-04 00:07 . 2004-08-04 00:07 1788 ----a-w- c:\windows\system32\Dcache.bin
2004-08-04 00:02 . 2004-08-04 00:02 329728 ----a-w- c:\windows\system32\netsetup.exe
2004-08-04 00:01 . 2005-01-02 22:50 87176 ----a-w- c:\windows\system32\rdpwsx.dll
2004-08-04 00:01 . 2005-01-02 22:51 21896 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2004-08-04 00:01 . 2005-01-02 22:51 12040 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2004-08-04 00:01 . 2004-08-04 00:01 92168 ----a-w- c:\windows\system32\rdpdd.dll
2004-08-04 00:01 . 2004-08-04 00:01 12168 ----a-w- c:\windows\system32\tsddd.dll
2004-08-03 23:07 . 2005-01-03 00:45 44672 ----a-w- c:\windows\system32\drivers\UAGP35.SYS
2004-08-03 23:01 . 2005-01-02 22:50 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2004-08-03 22:59 . 2005-01-03 00:46 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2004-08-03 22:56 . 2004-08-04 00:56 23552 ----a-w- c:\windows\system32\wdmaud.drv
2004-08-03 22:56 . 2005-01-03 00:24 4096 ----a-w- c:\windows\system32\ksuser.dll
2004-08-03 22:15 . 2004-08-03 22:15 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2004-08-03 22:15 . 2004-08-03 22:15 574592 ----a-w- c:\windows\system32\drivers\ntfs.sys
2004-08-03 22:14 . 2004-08-03 22:14 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2004-08-03 22:14 . 2004-08-03 22:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2004-08-03 22:14 . 2004-08-03 22:14 91776 ----a-w- c:\windows\system32\drivers\ndiswan.sys
2004-08-03 22:14 . 2004-08-03 22:14 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2004-08-03 22:14 . 2004-08-03 22:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2004-08-03 22:14 . 2004-08-03 22:14 48384 ----a-w- c:\windows\system32\drivers\raspptp.sys
2004-08-03 22:14 . 2004-08-03 22:14 51328 ----a-w- c:\windows\system32\drivers\rasl2tp.sys
2004-08-03 22:14 . 2004-08-03 22:14 143360 ----a-w- c:\windows\system32\drivers\fastfat.sys
2004-08-03 22:14 . 2004-08-03 22:14 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-03 22:14 . 2004-08-03 22:14 63744 ----a-w- c:\windows\system32\drivers\cdfs.sys
2004-08-03 22:08 . 2004-08-03 22:08 24960 ----a-w- c:\windows\system32\drivers\hidparse.sys
2004-08-03 22:07 . 2004-08-03 22:07 18560 ----a-w- c:\windows\system32\drivers\tdi.sys
2004-08-03 22:07 . 2004-08-03 22:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys
2004-08-03 22:07 . 2004-08-03 22:07 67584 ----a-w- c:\windows\system32\drivers\sdbus.sys
2004-08-03 22:07 . 2004-08-03 22:07 119936 ----a-w- c:\windows\system32\drivers\pcmcia.sys
2004-08-03 22:07 . 2004-08-03 22:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2004-08-03 22:07 . 2004-08-03 22:07 17664 ----a-w- c:\windows\system32\watchdog.sys
2004-08-03 22:07 . 2004-08-03 22:07 799744 ----a-w- c:\windows\system32\drivers\dmboot.sys
2004-08-03 22:07 . 2004-08-03 22:07 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
2004-08-03 22:07 . 2004-08-03 22:07 20992 ----a-w- c:\windows\system32\drivers\vga.sys
2004-08-03 22:06 . 2005-01-02 22:55 73472 ----a-w- c:\windows\system32\drivers\sr.sys
2004-08-03 22:05 . 2004-08-03 22:05 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2004-08-03 22:05 . 2004-08-03 22:05 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2004-08-03 22:04 . 2004-08-03 22:04 34560 ----a-w- c:\windows\system32\drivers\wanarp.sys
2004-08-03 22:04 . 2004-08-03 22:04 20992 ----a-w- c:\windows\system32\drivers\ipinip.sys
2004-08-03 22:04 . 2004-08-03 22:04 12672 ----a-w- c:\windows\system32\drivers\usb8023.sys
2004-08-03 22:04 . 2004-08-03 22:04 30080 ----a-w- c:\windows\system32\drivers\rndismp.sys
2004-08-03 22:04 . 2004-08-03 22:04 69120 ----a-w- c:\windows\system32\drivers\psched.sys
2004-08-03 22:04 . 2004-08-03 22:04 35072 ----a-w- c:\windows\system32\drivers\msgpc.sys
2004-08-03 22:03 . 2004-08-03 22:03 88448 ----a-w- c:\windows\system32\drivers\nwlnkipx.sys
2004-08-03 22:03 . 2004-08-03 22:03 34560 ----a-w- c:\windows\system32\drivers\netbios.sys
2004-08-03 22:00 . 2004-08-03 22:00 181248 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2004-08-03 22:00 . 2004-08-03 22:00 71040 ----a-w- c:\windows\system32\drivers\dxg.sys
2004-08-03 22:00 . 2005-01-03 00:42 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 12:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2003-01-08 395056]
"Google Update"="c:\documents and settings\Em\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2005-01-03 205296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 100648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 104304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"nwiz"="nwiz.exe" [2006-06-01 1593344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 320232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2005-1-3 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Em\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"= c:\\DOCUMENTS AND SETTINGS\\EM\\LOCAL SETTINGS\\APPLICATION DATA\\GOOGLE\\UPDATE\\GOOGLEUPDATE.EXE
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Metin2\\metin2client.bin"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\ymsgr_tray.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"= c:\\PROGRAM FILES\\COMMON FILES\\JAVA\\JAVA UPDATE\\JUCHECK.EXE
"c:\\Program Files\\Metin2\\metin2.bin"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02.04.2010 07:38 691696]
S0 a347bus;a347bus;c:\windows\system32\DRIVERS\a347bus.sys --> c:\windows\system32\DRIVERS\a347bus.sys [?]
S0 a347scsi;a347scsi;c:\windows\system32\Drivers\a347scsi.sys --> c:\windows\system32\Drivers\a347scsi.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1659004503-682003330-1003Core.job
- c:\documents and settings\Em\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2005-01-03 00:12]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1659004503-682003330-1003UA.job
- c:\documents and settings\Em\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2005-01-03 00:12]

2010-04-10 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-09-02 12:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Em\Application Data\Mozilla\Firefox\Profiles\aqr7pnbl.default\
FF - component: c:\documents and settings\Em\Application Data\Mozilla\Firefox\Profiles\aqr7pnbl.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Em\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- Firefox POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-syncman - c:\documents and settings\em\wuaucldt.exe
HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
AddRemove-Chicken Invaders 2_is1 - c:\program files\Chicken Invaders 2\ReflexiveArcade\unins000.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-09 09:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F701F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7573f10
\Driver\ACPI -> ACPI.sys @ 0xf73dbcb8
\Driver\atapi -> 0x82f701f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a01b0
ParseProcedure -> ntoskrnl.exe @ 0x8056f18e
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7267ba0
PacketIndicateHandler -> NDIS.sys @ 0xf7274b21
SendHandler -> NDIS.sys @ 0xf725287b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\docume~1\Em\LOCALS~1\Temp\khau.exe
.
**************************************************************************
.
Completion time: 2003-01-09  09:11:19 - machine was rebooted
ComboFix-quarantined-files.txt  2003-01-09 07:11

Pre-Run: 48.261.242.880 bytes free
Post-Run: 48.184.438.784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9B130A1FDED81D75D7289ABD2120587F

asta-i tot.. astept raspunsul tau, noroc

Back to top

#8
rootkit

Posted 25 April 2010 - 15:17

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Introdu cd-ul de Windows in unitatea cd-rom, apoi du-te la Start-> Run si scrie: sfc /scannow si apasa Enter. Asteapta sa termine acel proces.

[ http://www.advancedtoolbar.com/images/runbox1.gif - Pentru incarcare in pagina (embed) Click aici ]

[ http://www.pcwizztech.co.uk/scannow2.gif - Pentru incarcare in pagina (embed) Click aici ]

[ http://www.silverhairs.co.uk/sfc%20scannow.jpg - Pentru incarcare in pagina (embed) Click aici ]

Descarca :

Panda USB Vaccine1.0.1.4

Apesi dupa rularea programului: Vaccinate Computer si apoi Vaccinate USB.

Daca ai mai multe stickuri/carduri/MP3 Playere faci operatia de vaccinare pentru fiecare.

Posted Image

Descarca

Malwarebytes Anti-Malware 1.45

si salveaza-l pe Desktop.

Instaleaza-l si la sfarsit asigura-te ca ai bifat urmatoarele: Update Malwarebytes' Anti-Malware si Launch Malwarebytes' Anti-Malware. Apoi apasa Finish.

Posted Image

Dupa lansarea programului, click pe tab-ul Update si apasa butonul Check for Updates pentru a verifica daca definitiile descarcate sunt ultimele.

Database version: 4XXX

Posted Image

Click pe tab-ul Scanner, selecteaza Perform full scan si apoi apasa pe Scan.

Posted Image

La terminarea scanarii apasa OK si apoi Show Results.

Posted Image

Asigura-te ca e totul bifat si apoi apasa Remove Selected.

Posted Image

La final se va deschide un fisier in Notepad cu rezultatele scanarii. Posteaza continutul lui aici.

Posted Image

Daca ai dat restart pentru indepartare malware din PC, log-ul il gasesti in fereastra principala in cadrul tab-ului Logs. Verifica sa fie ultimul(dupa data din numele fisierului .txt.)

Posted Image

Back to top

#9
magicuzor

Posted 25 April 2010 - 17:05

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

salut, asta e logo-ul.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4034

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

09.01.2003 11:00:32
mbam-log-2003-01-09 (11-00-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 160365
Time elapsed: 39 minute(s), 57 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\Em\Local Settings\temp\omcv.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Em\Local Settings\temp\omcv.exe (Trojan.Agent) -> Delete on reboot.

Back to top

#10
rootkit

Posted 25 April 2010 - 17:11

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Restart. Mai sunt probleme ?

Back to top

#11
magicuzor

Posted 25 April 2010 - 17:15

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

Salut, cred ca s-o bulit browserul. Imi da errori la addoane si la mai multe siteuri.
Imi cere certificate pentru majoritatea siteurilor si dupa imi da encripted connection.
Am incercat reinstall/delete then install.La fel

http://img163.images...63/7154/scf.jpg

ai vreo idee?

Edited by magicuzor, 25 April 2010 - 17:26.

Back to top

#12
rootkit

Posted 25 April 2010 - 17:40

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Verifica data si ceasul din Windows. Vezi sa fie corect puse.

Edited by crysty2k5, 25 April 2010 - 17:42.

Back to top

#13
magicuzor

Posted 25 April 2010 - 22:20

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

Ma descurc eu si cu asta, vad cum fac.

Vreau sa-ti multumesc pentru ajutor, esti un om mare.
Daca o sa ne intalnim vreodata, fac cinste puternic.
Mersi si noroc, numai bine.

Back to top

#14
MhG_51

Posted 25 April 2010 - 22:32

:)

Grup: Moderators
Posts: 3,325
Înscris: 04.05.2009

magicuzor, on 25th April 2010, 22:20, said:

Ma descurc eu si cu asta, vad cum fac.

Vreau sa-ti multumesc pentru ajutor, esti un om mare.
Daca o sa ne intalnim vreodata, fac cinste puternic.
Mersi si noroc, numai bine.

Lasa ca poate ne vom vedea candva.
Dau si eu o lada cu bere,numai tu sa-ti rezolvi pr0blemele!
[ http://www.freesmileys.org/emoticons/emoticon-tv-027.gif - Pentru incarcare in pagina (embed) Click aici ] :habarnam:

Edited by MhG_40, 25 April 2010 - 22:41.

Back to top

#15
rootkit

Posted 26 April 2010 - 09:37

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Peste tot pe internet am gasit ca problema e generata de data si ceasul de la Windows, fiind setate incorect.

Back to top

#16
magicuzor

Posted 26 April 2010 - 14:17

New Member

Grup: Members
Posts: 22
Înscris: 13.03.2010

cred ca a mai ramas ceva care-mi da de fiecare data peste cap ceasul.
si nu se intampla asta dupa restart, peste un timp pac s-a schimbat ora.

Back to top

#17
Official

Posted 26 April 2010 - 15:19

Forzza ASA!

Grup: Senior Members
Posts: 3,327
Înscris: 27.03.2009

Ce time zone ai setat la ceas? Pune-l pe +02 GMT. Posibil sa fie setat pe altceva si sa-si faca update automat.

Back to top

#18
rootkit

Posted 26 April 2010 - 18:22

Awake. Security DNA

Grup: Senior Members
Posts: 34,883
Înscris: 07.02.2007

Vezi sa nu fie de la bateria de la placa de baza.

Back to top

Anunturi

Chirurgia endoscopică a hipofizei

"Standardul de aur" în chirurgia hipofizară îl reprezintă endoscopia transnazală transsfenoidală.

Echipa NeuroHope este antrenată în unul din cele mai mari centre de chirurgie a hipofizei din Europa, Spitalul Foch din Paris, centrul în care a fost introdus pentru prima dată endoscopul în chirurgia transnazală a hipofizei, de către neurochirurgul francez Guiot. Pe lângă tumorile cu origine hipofizară, prin tehnicile endoscopice transnazale pot fi abordate numeroase alte patologii neurochirurgicale.

www.neurohope.ro

devirusare pc

#1 magicuzor Posted 11 April 2010 - 12:10

#2 Official Posted 11 April 2010 - 12:16

#3 reventon Posted 11 April 2010 - 12:48

#4 rootkit Posted 11 April 2010 - 14:13

#5 magicuzor Posted 25 April 2010 - 13:24

#6 rootkit Posted 25 April 2010 - 13:51

#7 magicuzor Posted 25 April 2010 - 15:13

#8 rootkit Posted 25 April 2010 - 15:17

#9 magicuzor Posted 25 April 2010 - 17:05

#10 rootkit Posted 25 April 2010 - 17:11

#11 magicuzor Posted 25 April 2010 - 17:15

#12 rootkit Posted 25 April 2010 - 17:40

#13 magicuzor Posted 25 April 2010 - 22:20

#14 MhG_51 Posted 25 April 2010 - 22:32

#15 rootkit Posted 26 April 2010 - 09:37

#16 magicuzor Posted 26 April 2010 - 14:17

#17 Official Posted 26 April 2010 - 15:19

#18 rootkit Posted 26 April 2010 - 18:22

Anunturi

▶ 1 user(s) are reading this topic

Sign In

#1
magicuzor

Posted 11 April 2010 - 12:10

#2
Official

Posted 11 April 2010 - 12:16

#3
reventon

Posted 11 April 2010 - 12:48

#4
rootkit

Posted 11 April 2010 - 14:13

#5
magicuzor

Posted 25 April 2010 - 13:24

#6
rootkit

Posted 25 April 2010 - 13:51

#7
magicuzor

Posted 25 April 2010 - 15:13

#8
rootkit

Posted 25 April 2010 - 15:17

#9
magicuzor

Posted 25 April 2010 - 17:05

#10
rootkit

Posted 25 April 2010 - 17:11

#11
magicuzor

Posted 25 April 2010 - 17:15

#12
rootkit

Posted 25 April 2010 - 17:40

#13
magicuzor

Posted 25 April 2010 - 22:20

#14
MhG_51

Posted 25 April 2010 - 22:32

#15
rootkit

Posted 26 April 2010 - 09:37

#16
magicuzor

Posted 26 April 2010 - 14:17

#17
Official

Posted 26 April 2010 - 15:19

#18
rootkit

Posted 26 April 2010 - 18:22