[es] - HijackThis- unapred zahvalan

YOwitza
YOwitza YOwanowitj
Loznica

Član broj: 132691
Poruke: 26
*.inffo.net.

+1 Profil

^{09.02.2008. u 04:42 - pre 197 meseci}

Da vas ne zamajavam, idemo ovako... Net mi puca sve cheshce i posle toga ne mogu da se konektujem jedno vreme jer mi je modem, shatro, aktivan ili ne mozhe da nadje "adress book" i josh neshto, ne znam ni ja shta... Sad, poshto sam sve i svashta radio, setih se i HijackeThis-a. Sumnjam da ce pomoci, ali nece odmoci. Log glasi ovako:

Logfile of HijackThis v1.99.1
Scan saved at 5:30:00 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\YOweetza\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Vi recite ako vam treba josh neka informacija. Hvala!

Roll that shit, light that shit, smoke it!

Odgovor na temu

acikam
gde treba

Član broj: 147174
Poruke: 37
*.dynamic.sbb.co.yu.

Profil

Re: HijackThis- unapred zahvalan

^{09.02.2008. u 10:34 - pre 197 meseci}

Prvo, kada već ne štima nešto, tj da se sumnja na infekciju - treba instalirane antivirusne programe poisključivati (malo je problem ako su licencirani), pa pokrenuti neki OL sken.
Na primer, besplatno na:
http://www.pandasecurity.com/s...vescan/default.htm?track=80383
(ovo skeniranje se MORA obaviti iz Internet Explorera, uz prihvatanje instaliranja "pogona" za ActivX, par megabajta)

Drugo, skinuti BESPLATNI (novi!) >Spybot - Search & Destroy< sada je ver. 1.5.2.20 i poterati ceo sistem kroz njega.

Treće, ako se imao virus ili neki pametni špijun, on se lepo sakrije da ga ovi (najčešće besmisleni) logovi i ne vide!
U tom slučaju skinuti, tačnije i bez ovoga, kao neminovan alat za "ispravke grešaka" tzv >ERD Commander 2005<, narezati image na cd-disk, pa podesiti u BIOS-u startovanje sa CD-a.
Nakon podizanja sistema sa ovakvog CD-a, ući u opciju Files-managera, pa NA SVIM particijama, ako ih ima, i na svim HDD-ima ako ih ima, "otvoriti" folder <System Volume Information> i SVE iz njega obrisati!!!

Četvrto, naći poruke na ES-u oko sredjivanja tzv Services, pa sve što ne treba - posiključivati.

Peto, mnogi programi imaju uslov da idu na mrežu i ako nama to ne treba!!! Na primer, NERO, Adobeovi programi, ACDSee-ovi... U principu, osim programa za praćenje meteo-prognoze, ne treba puštati ništa. Naročito ne win-ove programe.

Šesto, treba isključiti sve automatske opcije UP-a: i u windowsu, i na ostalim programima - pa i na antivirusima i antišpijunima.

Sedmo, ne idu svi uz sve programi za odbranu i zaštitu. Ovde je reč o poznatom terminu: kolju se neki programi medjusobno. Ovde se ne oslanjati na svoje mišljenje, ukus i verovanje. Treba pratiti mnoge poruke pa izvući zaključke.

Osmo, neke opcije za totalne-početnike ne treba koristiti - zbog višestrukih razloga. Na primer, "legendarni" System restore. Iskusniji korisnici za to koriste neki graber, pravljač "slike" particije ili celog diska, pa, na pr. drže sredjeni upakovani fajl cele particije C na drugoj particiji, disku ili i na DVD-disku.

Deveto, danas je GLAVNI izvor infekcija USB-flash!!! Prvo, što se lako šire, teško otkrivaju, a napisani originalni štetni programi su najbolji do sada! Ježim se pri pomisli kada dodju na red i destruktivni, kao nekadašnji CIH...

Odgovor na temu

Binary Mind
11040

Član broj: 28245
Poruke: 13289
*.adsl-a-1.sezampro.yu.

+3779 Profil

Re: HijackThis- unapred zahvalan

^{09.02.2008. u 14:37 - pre 197 meseci}

HiJackThis! log je dobar. Iskljuci System Restore. Skini Combofix na desktop i sledi promptove. Kad pocne skeniranje ne diraj mis i tastaturu dok ne zavrsi. Posle okaci njegov log. Evo linka za Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Odgovor na temu

YOwitza
YOwitza YOwanowitj
Loznica

Član broj: 132691
Poruke: 26
*.inffo.net.

+1 Profil

Re: HijackThis- unapred zahvalan

^{09.02.2008. u 20:08 - pre 197 meseci}

Zahvaljujem obojici. Evo log sa Combo fix-a:

ComboFix 08-02.05.3 - YOweetza 2008-02-09 20:56:56.1 - NTFSx86
Running from: C:\Documents and Settings\YOweetza\Desktop\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000016_.tmp.dll
C:\WINDOWS\system32\_000017_.tmp.dll
C:\WINDOWS\system32\_000018_.tmp.dll
C:\WINDOWS\system32\_000024_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 06:34 . 2008-02-09 06:34 <DIR> d-------- C:\Program Files\IrfanView
2008-02-09 03:59 . 2008-02-09 03:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 03:58 . 2008-02-09 03:58 <DIR> d-------- C:\Documents and Settings\YOweetza\Application Data\Lavasoft
2008-02-01 20:05 . 2008-02-02 14:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 20:05 . 2008-02-01 20:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-01 19:49 . 2008-02-01 19:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-01-27 12:51 . 2008-01-27 12:51 <DIR> d-------- C:\Program Files\QuickTime
2008-01-27 12:50 . 2008-01-27 12:50 <DIR> d-------- C:\Program Files\Xilisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 19:55 --------- d-----w C:\Program Files\mIRC
2008-02-09 05:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ACD Systems
2008-02-09 04:28 --------- d-----w C:\Program Files\DAP
2008-02-09 02:20 --------- d-----w C:\Program Files\Starcraft
2008-02-09 01:05 --------- d-----w C:\Program Files\ESET
2008-01-09 11:29 --------- d-----w C:\Program Files\Diablo II
2008-01-08 01:50 --------- d-----w C:\Program Files\Opera
2008-01-07 22:48 --------- d-----w C:\Program Files\GG Client
2008-01-04 21:27 --------- d-----w C:\Program Files\wormsarm
2008-01-04 12:28 --------- d-----w C:\Program Files\HighGrow
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-02 17:03 921600]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-12-21 22:29 180312]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-03-12 18:41 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2007-06-08 18:00 146432]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Raketa Krstarice.lnk]
backup=C:\WINDOWS\pss\Raketa Krstarice.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 10:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 14:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-08-16 19:27 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-10 07:07 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-08 18:00 146432 C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual Drive]
C:\Program Files\FarStone\VirtualDrive\vdtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"NBService"=3 (0x3)

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-03-09 18:26]
R3 es1969;ESS 1969 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es1969.sys [2001-08-17 13:19]
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 16:44]
R3 st3tgbus;st3tgbus;C:\WINDOWS\system32\DRIVERS\st3tgbus.sys [2003-03-12 18:37]
R3 st3tiger;st3tiger;C:\WINDOWS\system32\DRIVERS\st3tiger.sys [2003-03-12 18:38]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 14:47]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-06-02 16:13:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 21:01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 21:02:49
ComboFix-quarantined-files.txt 2008-02-09 20:02:24

Roll that shit, light that shit, smoke it!

Odgovor na temu

Binary Mind
11040

Član broj: 28245
Poruke: 13289
*.adsl-1.sezampro.yu.

+3779 Profil

Re: HijackThis- unapred zahvalan

^{09.02.2008. u 20:42 - pre 197 meseci}

Hajde sad okaci novi HJT! log i novi Combofix log...

Odgovor na temu

YOwitza
YOwitza YOwanowitj
Loznica

Član broj: 132691
Poruke: 26
*.inffo.net.

+1 Profil

Re: HijackThis- unapred zahvalan

^{09.02.2008. u 21:57 - pre 197 meseci}

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:12 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\YOweetza\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

ComboFix:

ComboFix 08-02.05.3 - YOweetza 2008-02-09 22:48:37.2 - NTFSx86
Running from: C:\Documents and Settings\YOweetza\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 06:34 . 2008-02-09 06:34 <DIR> d-------- C:\Program Files\IrfanView
2008-02-09 03:59 . 2008-02-09 03:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-09 03:58 . 2008-02-09 03:58 <DIR> d-------- C:\Documents and Settings\YOweetza\Application Data\Lavasoft
2008-02-01 20:05 . 2008-02-02 14:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-01 20:05 . 2008-02-01 20:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-01 19:49 . 2008-02-01 19:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-01-27 12:51 . 2008-01-27 12:51 <DIR> d-------- C:\Program Files\QuickTime
2008-01-27 12:50 . 2008-01-27 12:50 <DIR> d-------- C:\Program Files\Xilisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 19:55 --------- d-----w C:\Program Files\mIRC
2008-02-09 05:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\ACD Systems
2008-02-09 04:28 --------- d-----w C:\Program Files\DAP
2008-02-09 02:20 --------- d-----w C:\Program Files\Starcraft
2008-02-09 01:05 --------- d-----w C:\Program Files\ESET
2008-01-09 11:29 --------- d-----w C:\Program Files\Diablo II
2008-01-08 01:50 --------- d-----w C:\Program Files\Opera
2008-01-07 22:48 --------- d-----w C:\Program Files\GG Client
2008-01-04 21:27 --------- d-----w C:\Program Files\wormsarm
2008-01-04 12:28 --------- d-----w C:\Program Files\HighGrow
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-02 17:03 921600]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2004-12-21 22:29 180312]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-03-12 18:41 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2007-06-08 18:00 146432]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Raketa Krstarice.lnk]
backup=C:\WINDOWS\pss\Raketa Krstarice.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 10:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 14:47 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-08-16 19:27 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlipStream]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-10 07:07 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-08 18:00 146432 C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Virtual Drive]
C:\Program Files\FarStone\VirtualDrive\vdtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"wuauserv"=2 (0x2)
"Themes"=2 (0x2)
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"NBService"=3 (0x3)

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-03-09 18:26]
R3 es1969;ESS 1969 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es1969.sys [2001-08-17 13:19]
R3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 16:44]
R3 st3tgbus;st3tgbus;C:\WINDOWS\system32\DRIVERS\st3tgbus.sys [2003-03-12 18:37]
R3 st3tiger;st3tiger;C:\WINDOWS\system32\DRIVERS\st3tiger.sys [2003-03-12 18:38]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 14:47]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 02:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-06-02 16:13:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 22:52:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 22:54:30
ComboFix-quarantined-files.txt 2008-02-09 21:54:11
ComboFix2.txt 2008-02-09 20:02:50

HVALA!

Roll that shit, light that shit, smoke it!

Odgovor na temu