To je to,problem je konacno resen evo log
i moze li savet za neki av,jer ovaj nod ocito ne valja
ComboFix 09-01-02.01 - J 2009-01-03 22:14:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.2047.1579 [GMT 1:00]
Running from: c:\documents and settings\J\Local Settings\Temp\wza21f\E-S.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\J\Application Data\sysFiles00.dll
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\gPrtDJlm.ini
c:\windows\system32\gPrtDJlm.ini2
c:\windows\system32\pakltfdr.ini
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdu.log
c:\windows\system32\TDSSxfum.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.
2009-01-02 21:17 . 2009-01-02 21:23 <DIR> d-------- c:\program files\Wise Disk Cleaner 3 Pro
2009-01-02 21:15 . 2009-01-02 21:17 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2009-01-02 11:32 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-02 11:32 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-01 13:57 . 2009-01-01 13:57 <DIR> d-------- c:\documents and settings\J\Application Data\Thinstall
2008-12-31 12:44 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-30 19:34 . 2008-12-30 19:34 <DIR> d-------- c:\program files\ChromePortable
2008-12-30 18:51 . 2008-12-30 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-12-30 17:47 . 2008-12-30 17:47 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-30 17:47 . 2008-12-30 17:47 1,409 --a------ c:\windows\QTFont.for
2008-12-29 19:08 . 2008-12-29 19:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Applications
2008-12-28 20:04 . 2008-12-28 20:04 <DIR> d-------- c:\program files\Eidos Interactive
2008-12-26 20:28 . 2008-12-26 20:28 1,315 --a------ c:\windows\jphdw_m16.ini
2008-12-25 18:11 . 2009-01-03 22:22 <DIR> d-------- c:\documents and settings\J\Tracing
2008-12-25 17:56 . 2008-12-25 17:56 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2008-12-25 17:51 . 2008-12-25 17:51 <DIR> d-------- c:\program files\Windows Live SkyDrive
2008-12-25 17:51 . 2008-12-25 17:51 <DIR> d-------- c:\program files\Microsoft
2008-12-25 17:24 . 2008-12-25 17:24 <DIR> d-------- c:\program files\Common Files\Windows Live
2008-12-24 19:02 . 2008-12-24 19:02 <DIR> d-------- C:\Games
2008-12-18 13:13 . 2008-12-18 13:13 <DIR> d-------- c:\windows\ie8updates
2008-12-16 17:36 . 2007-05-27 00:50 <DIR> d-------- c:\program files\Voice Changer 4.0 Diamond
2008-12-14 14:34 . 2008-12-14 14:34 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2008-12-08 15:41 . 2008-12-08 15:41 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-08 15:04 . 2008-12-08 15:06 <DIR> d-------- c:\program files\Rockstar Games
2008-12-07 21:34 . 2008-12-24 17:39 <DIR> d-------- c:\program files\RapidCheck
2008-12-04 14:56 . 2008-12-04 14:56 <DIR> d-------- c:\program files\Java
2008-12-04 14:56 . 2008-12-04 14:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-04 14:55 . 2008-12-04 14:55 0 --a------ c:\windows\system32\REN584.tmp
2008-12-04 14:55 . 2008-12-04 14:55 0 --a------ c:\windows\system32\REN583.tmp
2008-12-04 14:55 . 2008-12-04 14:55 0 --a------ c:\windows\system32\REN582.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 19:09 --------- d-----w c:\program files\wLite
2009-01-01 19:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 12:55 --------- d-----w c:\documents and settings\J\Application Data\Spy Emergency
2008-12-31 15:33 --------- d-----w c:\program files\Skype
2008-12-30 17:51 --------- d-----w c:\program files\Google
2008-12-30 16:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 18:19 --------- d-----w c:\program files\Microsoft Games
2008-12-25 16:54 --------- d-----w c:\program files\Windows Live
2008-12-24 16:42 --------- d-----w c:\program files\Illusion
2008-12-24 16:38 --------- d-----w c:\program files\DNA
2008-12-20 16:29 --------- d-----w c:\program files\PuppetMaster
2008-12-20 11:49 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-11 13:39 --------- d-----w c:\program files\Latinski Recnik 1.1
2008-12-08 14:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-03 19:31 --------- d-----w c:\program files\titca
2008-12-02 16:05 --------- d-----w c:\program files\Uniblue
2008-12-02 15:49 --------- d-----w c:\documents and settings\J\Application Data\Uniblue
2008-12-01 14:26 --------- d-----w c:\program files\SystemRequirementsLab
2008-11-28 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2008-11-28 15:51 --------- d-----w c:\program files\Siber Systems
2008-11-23 14:18 --------- d-----w c:\program files\Njegos »Gorski vijenac«
2008-11-22 20:30 --------- d-----w c:\program files\mIRC
2008-11-22 17:30 --------- d-----w c:\documents and settings\J\Application Data\SystemRequirementsLab
2008-11-15 18:20 --------- d-----w c:\documents and settings\J\Application Data\PC Suite
2008-11-14 13:03 --------- d-----w c:\documents and settings\J\Application Data\Skype
2008-11-14 13:00 --------- d-----w c:\documents and settings\J\Application Data\skypePM
2008-11-12 13:20 --------- d-----w c:\program files\Mafia-WinterEdition
2008-11-12 12:44 --------- d-----w c:\program files\MSXML 4.0
2008-11-08 14:11 --------- d-----w c:\program files\Common Files\Skype
2008-11-08 14:11 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-13 18:05 356,352 ----a-w c:\windows\eSellerateEngine.dll
2008-02-22 11:37 472 ----a-w c:\program files\setup.reg
2008-02-08 09:03 30,529,024 ----a-w c:\program files\kav.en.msi
2008-02-04 20:36 22,328 ----a-w c:\documents and settings\J\Application Data\PnkBstrK.sys
2007-10-02 05:08 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe
2004-07-22 08:51 3,432,656 ----a-w c:\program files\ManagedDX.CAB
2004-07-19 20:58 1,156,363 ----a-w c:\program files\BDANT.cab
2004-07-19 20:53 976,020 ----a-w c:\program files\BDAXP.cab
2004-07-09 12:17 13,265,040 ----a-w c:\program files\dxnt.cab
2004-07-09 07:13 703,080 ----a-w c:\program files\BDA.cab
2004-07-09 07:13 15,493,481 ----a-w c:\program files\DirectX.cab
2004-07-09 02:08 472,576 ----a-w c:\program files\dxsetup.exe
2004-07-09 02:08 2,242,560 ----a-w c:\program files\dsetup32.dll
2004-07-09 01:03 62,976 ----a-w c:\program files\DSETUP.dll
2008-08-02 23:14 5,852 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-07-03 13:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
c:\documents and settings\J\Start Menu\Programs\u.rar\
Thoosje Sidebar.lnk - c:\program files\Thoosje Vista Sidebar\Thoosje Sidebar.exe [2008-08-18 605696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\
0sremcon.exe\
0autocheck smrgdf c:\documents and settings\J\Application Data\iolo\\
0lsdelete
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Key.lnk]
backup=c:\windows\pss\Media Key.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\^.rnd]
path=\.rnd
[HKLM\~\startupfolder\^default.pls]
path=\default.pls
[HKLM\~\startupfolder\^ntuser.dat]
path=\ntuser.dat
[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90208
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntamediaBandwidth
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323Domino
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323VMSnap]
--a------ 2006-09-19 14:26 212992 c:\windows\VMSnap23.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-10-05 16:24 289088 c:\program files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 01:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-12-02 22:41 3882312 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 15:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 08:59 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-06-17 16:00 1249280 c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
--a------ 2005-11-17 07:32 561664 c:\program files\RamBooster 2.0\Rambooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2008-12-13 20:15 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEmergency]
--a------ 2008-05-01 14:14 2071096 c:\program files\NETGATE\Spy Emergency 2008\SpyEmergency.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-18 13:29 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2008-05-05 12:22 1923352 c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2007-08-19 12856]
R1 NDISAH;NDISAH;c:\windows\system32\drivers\ndisah.sys [2008-09-27 19584]
R1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\drivers\spyemrg.sys [2008-05-17 12344]
R1 UsbFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\UsbFltr.sys [2007-08-19 8576]
R3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys [2007-08-16 420480]
R3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\windows\system32\drivers\usbvm323.sys [2008-01-22 260608]
R4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-03-14 578408]
R4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-03-14 578408]
R4 SpyEmrgSrv;Spy Emergency Engine Service;c:\program files\NETGATE\Spy Emergency 2008\SpyEmergencySrv.exe [2008-05-17 694840]
S0 MFX;MFX; [x]
S3 DAGP;DAGP; [x]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\J\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\J\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 mpr_freader;MPR FileReader Driver;\??\c:\docume~1\J\LOCALS~1\Temp\RarSFX0\mpr_freader.sys --> c:\docume~1\J\LOCALS~1\Temp\RarSFX0\mpr_freader.sys [?]
S3 SpyEmrgGuard;Spy Emergency Real-Time Shield Driver;c:\windows\system32\drivers\spyemrg_guard.sys [2008-05-17 14392]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\drivers\Bulk533.sys [2008-09-28 10986]
S4 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [2008-09-28 515803]
S4 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2008-03-14 578408]
S4 KJYXJSM;KJYXJSM; [x]
S4 Webcam Corp. Service Starter;Webcam Corp. Service Starter;c:\program files\Webcam\Webcam123\dogsvc.exe --> c:\program files\Webcam\Webcam123\dogsvc.exe [?]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220dba5a-71ea-11dd-bf54-0018f3ea3f39}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3ecb5c-6857-11dc-9995-0018f3ea3f39}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder
2009-01-03 c:\windows\Tasks\User_Feed_Synchronization-{132907F2-D634-4C67-9942-44DF435096B5}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 02:05]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-9c147f9a - c:\windows\system32\rdftlkap.dll
MSConfigStartUp-WMUAgent - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZR&fl=0&ptb=FxQDV6NJmNITE9Cif4c9qA&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download ALL with IDA
IE: Download with IDA
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\w92mhjlz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.rs
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-01-03 22:22:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\H*NULL*a*NULL*r*NULL*r*NULL*y*NULL* *NULL*P*NULL*o*NULL*t*NULL*t*NULL*e*NULL*r*NULL* *NULL*a*NULL*n*NULL*d*NULL* *NULL*t*NULL*h*NULL*e*NULL* *NULL*O*NULL*r*NULL*d*NULL*e*NULL*r*NULL* *NULL*o*NULL*f*NULL* *NULL*t*NULL*h*NULL*e*NULL* *NULL*P*NULL*h*NULL*o*NULL*e*NULL*n*NULL*i*NULL*x*NULL*"!]
"Order"=hex:08,00,00,00,02,00,00,00,ce,03,00,00,01,00,00,00,06,00,00,00,98,00,\
00,00,00,00,00,00,8a,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,78,00,32,\
00,32,00,00,00,8c,38,51,8b,20,00,45,4c,45,43,54,52,7e,31,2e,55,52,4c,00,00,\
4e,00,03,00,04,00,ef,be,8c,38,51,8b,08,39,5c,a4,14,00,00,00,45,00,6c,00,65,\
00,63,00,74,00,72,00,6f,00,6e,00,69,00,63,00,20,00,52,00,65,00,67,00,69,00,\
73,00,74,00,72,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
be,00,00,00,01,00,00,00,b0,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,9e,\
00,32,00,39,08,00,00,8c,38,51,8b,20,00,48,41,52,52,59,50,7e,31,2e,4c,4e,4b,\
00,00,74,00,03,00,04,00,ef,be,8c,38,51,8b,08,39,5c,a4,14,00,00,00,48,00,61,\
00,72,00,72,00,79,00,20,00,50,00,6f,00,74,00,74,00,65,00,72,00,20,00,61,00,\
6e,00,64,00,20,00,74,00,68,00,65,00,20,00,4f,00,72,00,64,00,65,00,72,00,20,\
00,6f,00,66,00,20,00,74,00,68,00,65,00,20,00,50,00,68,00,6f,00,65,00,6e,00,\
69,00,78,00,22,21,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,96,00,00,00,02,00,00,00,88,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,76,00,32,00,37,04,00,00,8c,38,51,\
8b,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,4c,00,03,00,04,00,ef,be,\
8c,38,51,8b,08,39,5c,a4,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,\
00,66,00,74,00,20,00,44,00,69,00,72,00,65,00,63,00,74,00,58,00,20,00,45,00,\
55,00,4c,00,41,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,\
be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,78,00,00,00,03,00,00,00,6a,00,\
00,00,41,75,67,4d,02,00,00,00,01,00,00,00,58,00,32,00,4b,04,00,00,8c,38,51,\
8b,20,00,52,45,41,44,4d,45,7e,31,2e,4c,4e,4b,00,00,2e,00,03,00,04,00,ef,be,\
8c,38,51,8b,08,39,5c,a4,14,00,00,00,52,00,65,00,61,00,64,00,20,00,4d,00,65,\
00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00,8c,00,00,00,04,00,00,00,7e,00,00,00,41,75,67,\
4d,02,00,00,00,01,00,00,00,6c,00,32,00,79,05,00,00,8c,38,51,8b,20,00,54,45,\
43,48,4e,49,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,8c,38,51,8b,08,\
39,5c,a4,14,00,00,00,54,00,65,00,63,00,68,00,6e,00,69,00,63,00,61,00,6c,00,\
20,00,53,00,75,00,70,00,70,00,6f,00,72,00,74,00,2e,00,6c,00,6e,00,6b,00,00,\
00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1c,00,00,00,00,00,00,00,00,00,\
d2,00,00,00,05,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,\
00,32,00,6c,08,00,00,8c,38,51,8b,20,00,55,4e,49,4e,53,54,7e,31,2e,4c,4e,4b,\
00,00,88,00,03,00,04,00,ef,be,8c,38,51,8b,08,39,5c,a4,14,00,00,00,55,00,6e,\
00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,48,00,61,00,72,00,72,00,\
79,00,20,00,50,00,6f,00,74,00,74,00,65,00,72,00,20,00,61,00,6e,00,64,00,20,\
00,74,00,68,00,65,00,20,00,4f,00,72,00,64,00,65,00,72,00,20,00,6f,00,66,00,\
20,00,74,00,68,00,65,00,20,00,50,00,68,00,6f,00,65,00,6e,00,69,00,78,00,22,\
21,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,\
1c,00,00,00,00,00,00,00,00,00
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{33D2BCAC-D8CD-7C15-7D6E-9FACCABFBE7E}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaigbcmlfjemhihlkjbebonpcfcboo"=hex:6b,61,62,61,67,62,6b,62,65,65,6a,66,70,6c,\
61,64,67,65,68,6e,70,61,00,00
"naoldemhnmfcpobnocieijjpgagg"=hex:6b,61,62,61,6e,61,6c,63,70,62,6e,65,6e,6a,\
65,6e,6f,64,6a,6d,6c,70,00,00
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57C36166-70FE-3C67-1019-08DAF9ABD357}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fajgffiojpod"=hex:66,61,6c,61,69,63,6b,64,67,6b,6c,6f,00,00
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64DD45CF-09EE-7A4E-AEDF-8BF3633D3E5D}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"haibciohbojgnffb"=hex:61,61,00,7c
"jaibciohbojgnffbmgoe"=hex:63,61,6a,64,67,65,00,7c
"paacdkghbkbfnjcgfggacgnnegejooni"=hex:64,61,6e,64,6a,70,61,6a,00,00
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74994A84-DEEA-1D66-6253-E678E0142485}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"aboccklpfmppekdofhmbaedacickmonjfj"=hex:62,62,61,65,6a,6c,66,6f,61,68,69,65,\
6f,63,66,69,64,64,6b,62,6a,62,62,62,67,6f,69,68,6d,61,6c,6c,6e,67,6d,6c,00,\
1f
"bboccklpfmppekdofhjbfgiabcohoipeddfb"=hex:61,62,66,65,62,6e,6a,65,6b,62,64,6b,\
61,6a,6c,6f,69,61,65,6d,65,6e,68,66,6c,67,6e,61,69,68,62,6a,64,61,00,6c
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E417608-86B4-BA6E-DF09-0DF38D92EB4D}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-854245398-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1C3B509-B662-6634-645E-24E03CCD3F16}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hapmdcbcknilnbag"=hex:6f,61,65,6e,6b,6c,6f,6d,67,6b,6e,6b,61,6d,6f,70,64,68,\
6d,66,64,6b,6f,65,6a,63,6f,67,6f,6b,00,00
"hapmdcbcepcogefg"=hex:63,63,66,6b,69,66,70,68,68,67,6e,6e,67,62,64,64,6c,6a,\
63,67,62,61,6d,6d,6f,67,70,70,6b,70,63,6c,6f,62,61,65,65,62,6b,69,66,61,67,\
62,70,6b,61,6f,66,6f,6e,6e,63,6d,64,61,67,66,61,6f,6e,62,6b,62,67,62,6a,61,\
6d,69,00,00
"iadkcmfjjnbipanbhh"=hex:69,61,64,6a,62,6a,6f,67,67,68,6c,63,67,68,69,6f,62,61,\
00,00
"hanbagijpjiaefmn"=hex:69,61,64,6a,62,6a,6f,67,67,68,6c,63,67,68,69,6f,62,61,\
00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{26ba0792-0985-4d80-8d59-e36016ecec97}]
@Denied: (Full) (Everyone)
"Model"=dword:0000011e
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,\
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
3f,ce,a2,4b,39,29,d8,6e,56,96,16,73,9f,4f,94,a3,f7,89,46,8f,3c,f2,5c,68,ee,\
21,8c,c2,bc,f9,ea,af,0b,0d,1a,60,fd,e7,c1,34,ef,30,fa,b3,45,7c,c0,ca,18,a6,\
19,9c,8e,91,24,d4,cb,61,47,c6,bd,29,47,f3,bb,33,af,ab,cd,0e,56,2c,76,32,e7,\
38,2e,98,d8,aa,db,af,2e,07,98,4e,76,5f,ea,e7,0e,50,4c,a7,8c,27,9a,ce,f6,9b,\
39,12,86,d9,d9,be,35,22,f8,ac,98,55,74,7d,e3,5d,5f,fc,2c,79,70,66,b9,f0,43,\
56,ff,e4,48,eb,25,4d,90,ab,1b,0c,d4,9f,4c,45,27,90,f4,12,01,58,60,e7,75,b8,\
bd,9a,f1,4d,cb,f5,2e,74,78,3c,f7,95,2c,fd,f1,78,d9,1d,5a,42,49,8c,bf,1a,9d,\
fe,41,71,cb,3f,46,a4,7c,ab,3f,ce,c0,8f,d7,20,9f,15,65,be,a8,d9,c1,c4,0e,a9,\
32,a9,b8,eb,e4,7b,2e,a8,de,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):10,e5,1e,c2,35,2e,ad,24,f5,9a,81,4f,e6,b4,a9,dd,cd,b5,31,ac,84,\
f2,55,2f,af,ee,36,76,2f,af,22,a1,de,e3,95,27,fa,1d,9e,57,00,00,00,00,00,00,\
00,00,00,00
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1C3B509-B662-6634-645E-24E03CCD3F16}\InProcServer32*NULL*]
"jabchlnhlpiejjcjdimp"=hex:69,61,64,6a,62,6a,6f,67,67,68,6c,63,67,68,69,6f,62,\
61,00,00
"iabcblenkjogbhjama"=hex:69,61,64,6a,62,6a,6f,67,67,68,6c,63,67,68,69,6f,62,61,\
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PSIService.exe
.
**************************************************************************
.
Completion time: 2009-01-03 22:28:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 21:26:48
ComboFix2.txt 2009-01-02 16:45:28
Pre-Run: 56,207,564,800 bytes free
Post-Run: 56,250,466,304 bytes free
399 --- E O F --- 2008-12-18 12:14:07