WiredWX Hobby Weather ToolsLog in

 


descriptionSolvedProtector.I virus

more_horiz
Hi there!
I was wondering if you could help me with this problem. I've tried to find the solution on the forum but it seems that it's personalised for every problem so I wouldn't want to mess up something.
NOD32 is reporting this virus: Protector.I Virus, it seems to be hidden in the file C:\WINDOWS\system32\drivers\cdrom.sys and is unable to clean it.
Here is the OTL report.

OTL.txt:
OTL logfile created on: 15.7.2010 23:39:37 - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041A | Country: Croatia | Language: HRV | Date Format: d.M.yyyy

1.022,00 Mb Total Physical Memory | 562,00 Mb Available Physical Memory | 55,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,29 Gb Total Space | 3,18 Gb Free Space | 10,86% Space Free | Partition Type: NTFS
Drive D: | 63,86 Gb Total Space | 1,87 Gb Free Space | 2,92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PAMETNO_MOJE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010.07.15 22:23:16 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009.08.23 21:41:16 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009.04.09 16:19:08 | 000,731,840 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009.04.09 16:17:56 | 002,029,640 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2008.07.03 16:38:24 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008.03.24 13:44:26 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\ASTSRV.exe
PRC - [2007.09.02 14:58:52 | 000,495,616 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.exe
PRC - [2007.02.04 13:02:14 | 000,079,400 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
PRC - [2004.09.29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (SafeList) ==========

MOD - [2010.07.15 22:23:16 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008.11.05 11:21:57 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
MOD - [2008.04.14 17:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007.09.02 14:57:36 | 000,069,632 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.dll
MOD - [2007.02.05 10:29:04 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - [2010.06.02 01:06:30 | 000,348,824 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009.08.23 21:41:16 | 001,528,624 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009.07.22 22:44:48 | 001,097,096 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009.04.09 16:29:20 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009.04.09 16:19:08 | 000,731,840 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2008.03.24 13:44:26 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\ASTSRV.exe -- (astcc)
SRV - [2005.11.14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004.09.29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010.07.15 16:13:53 | 000,098,240 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2009.12.19 15:23:13 | 000,025,512 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggsemc.sys -- (ggsemc)
DRV - [2009.12.19 15:23:13 | 000,013,224 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ggflt.sys -- (ggflt)
DRV - [2009.12.03 19:52:36 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.08.24 14:05:06 | 000,206,256 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009.08.23 21:40:32 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009.07.27 04:43:18 | 000,058,908 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009.04.19 01:52:05 | 000,329,752 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2009.04.09 16:21:12 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2009.04.09 16:21:10 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2009.04.09 16:21:06 | 000,133,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2009.04.09 16:18:02 | 000,107,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009.04.09 16:10:30 | 000,113,960 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008.11.16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2008.04.28 21:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008.04.14 17:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008.04.14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008.03.13 04:25:36 | 002,530,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007.11.14 19:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007.05.01 02:11:54 | 000,630,272 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2007.01.24 15:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2007.01.18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006.09.18 15:59:08 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27unic.sys -- (se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)
DRV - [2006.09.18 15:59:02 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27obex.sys -- (SE27obex)
DRV - [2006.09.18 15:59:00 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27nd5.sys -- (se27nd5) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)
DRV - [2006.09.18 15:58:58 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mgmt.sys -- (SE27mgmt) Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)
DRV - [2006.09.18 15:58:54 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdm.sys -- (SE27mdm)
DRV - [2006.09.18 15:58:52 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdfl.sys -- (SE27mdfl)
DRV - [2006.09.18 15:58:48 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27bus.sys -- (SE27bus) Sony Ericsson Device 039 Driver driver (WDM)
DRV - [2006.04.15 18:26:00 | 003,658,528 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005.08.22 01:07:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005.08.22 01:06:16 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005.08.22 01:06:10 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2001.08.17 14:05:48 | 000,314,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CamDrO21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000 (08B0)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://it.msn.com/iat/us_it.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = hr
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C2 38 91 20 8B DD CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.15 15:48:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.15 15:55:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009.11.16 01:33:39 | 000,000,000 | ---D | M]

[2010.03.10 11:07:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010.03.10 11:07:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{2f1e6a90-e99e-11dd-ba2f-0800200c9a66}
[2010.07.15 16:14:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b5wyzke0.default\extensions
[2010.05.22 21:33:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b5wyzke0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010.07.15 16:14:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.06.22 04:36:30 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010.04.14 18:40:36 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010.05.25 18:09:48 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2008.04.14 17:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Regedit32] C:\WINDOWS\System32\regedit.exe File not found
O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe ()
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [syncman] C:\WINDOWS\System32\wuaucldt.exe File not found
O4 - HKCU..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009.11.15 23:07:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f55e6090-3ce3-11df-9515-00130241c08a}\Shell\AutoRun\command - "" = bar/bar32.exe
O33 - MountPoints2\{f55e6090-3ce3-11df-9515-00130241c08a}\Shell\exPLore\comMand - "" = bar/////////bar32.exe
O33 - MountPoints2\{f55e6090-3ce3-11df-9515-00130241c08a}\Shell\oPEn\commaNd - "" = bar\\\\\\\\\\\bar32.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.07.15 23:38:47 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010.07.15 21:28:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010.07.15 20:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\virus
[2010.07.15 17:00:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\per te
[2010.07.15 15:56:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010.07.15 15:56:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010.07.15 15:55:43 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010.07.15 15:55:43 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010.07.15 15:55:43 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010.07.15 15:55:43 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010.07.11 23:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iFood
[2010.07.11 23:50:51 | 000,000,000 | ---D | C] -- C:\Program Files\eucoSoftware
[2010.06.28 09:59:19 | 000,000,000 | ---D | C] -- C:\Program Files\Winamp Detect
[2010.06.18 15:20:32 | 000,000,000 | ---D | C] -- C:\Program Files\BBC.The.Human.Body.1to7DVDRip
[2010.06.16 13:48:15 | 000,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tcpip.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.07.15 22:25:47 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010.07.15 22:23:16 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010.07.15 22:18:57 | 000,444,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.07.15 22:18:57 | 000,072,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010.07.15 22:18:56 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.07.15 22:14:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010.07.15 22:14:31 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2010.07.15 22:14:30 | 000,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010.07.15 22:14:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.07.15 22:14:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.07.15 22:14:16 | 1071,763,456 | -HS- | M] () -- C:\hiberfil.sys
[2010.07.15 22:13:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010.07.15 22:13:19 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010.07.15 16:14:39 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd
[2010.07.15 16:13:53 | 000,098,240 | ---- | M] () -- C:\WINDOWS\System32\drivers\cdrom.sys
[2010.07.14 14:17:46 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010.07.11 23:50:53 | 000,001,937 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ICEA Check food.lnk
[2010.06.28 09:53:53 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010.06.23 11:21:13 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.06.22 16:46:34 | 000,084,480 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\I NUOVI ADOLESCENTI.doc
[2010.06.22 04:36:38 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010.06.22 04:36:37 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010.06.22 04:36:36 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010.06.22 04:36:29 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010.06.22 02:24:28 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010.06.18 21:50:52 | 000,338,920 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\humphrey social intelligence.PDF
[2010.06.17 10:39:04 | 000,152,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010.06.17 00:19:46 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010.06.17 00:19:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.07.15 22:14:16 | 1071,763,456 | -HS- | C] () -- C:\hiberfil.sys
[2010.07.15 12:08:53 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd
[2010.07.11 23:50:53 | 000,001,937 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ICEA Check food.lnk
[2010.06.23 11:21:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\FOXIT_PDF
[2010.06.22 16:46:34 | 000,084,480 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\I NUOVI ADOLESCENTI.doc
[2010.06.18 21:52:11 | 000,338,920 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\humphrey social intelligence.PDF
[2010.05.26 17:20:15 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010.05.26 17:20:15 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2010.04.04 00:13:06 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo.dll
[2010.04.04 00:09:17 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009.12.04 00:36:03 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.12.04 00:35:48 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.12.04 00:35:48 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.12.04 00:35:48 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.12.04 00:35:38 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.12.04 00:35:38 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009.12.03 20:41:07 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009.11.30 19:11:15 | 000,000,412 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009.11.27 09:55:28 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009.11.27 09:40:26 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009.11.16 20:35:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009.08.23 21:41:22 | 000,197,424 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2009.08.23 21:41:14 | 000,193,328 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008.05.02 15:49:40 | 000,098,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\cdrom.sys
[2006.04.15 18:26:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006.04.15 18:26:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006.04.15 18:26:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006.04.15 18:26:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006.04.15 18:26:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003.01.07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

Extras.txt:

OTL Extras logfile created on: 15.7.2010 23:39:37 - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000041A | Country: Croatia | Language: HRV | Date Format: d.M.yyyy

1.022,00 Mb Total Physical Memory | 562,00 Mb Available Physical Memory | 55,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29,29 Gb Total Space | 3,18 Gb Free Space | 10,86% Space Free | Partition Type: NTFS
Drive D: | 63,86 Gb Total Space | 1,87 Gb Free Space | 2,92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PAMETNO_MOJE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Program Files\Sony Ericsson\Update Service\Update Service.exe" = C:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- File not found
"C:\Program Files\TVAnts\Tvants.exe" = C:\Program Files\TVAnts\Tvants.exe:*:Enabled:TVAnts -- (Zhejiang University)
"D:\games\TmUnitedForever\TmForever.exe" = D:\games\TmUnitedForever\TmForever.exe:*:Disabled:TmForever -- File not found
"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" = C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe:*:Enabled:ESET Smart Security -- (ESET)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08B785C1-3893-4154-B53B-F5D341D0AAAA}" = Cisco Systems VPN Client 5.0.06.0110
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{107CDD66-ED13-44C8-B392-D295B66AB6E8}_is1" = PamFax 2.0.0.18
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP210_series" = Canon MP210 series
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{23C3F5C0-566B-478B-AAB6-197ADAD0C945}" = Uniblue SpeedUpMyPC 2009
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 21
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{505AFDC0-5E72-4928-8368-5DEA385E3647}" = CorelDRAW Graphics Suite 12
"{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82883B23-3CB9-47C1-90C3-463C7B319F08}" = ICEA Check
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}" = SmartAudio
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C25215FC-5900-48B0-B93C-8D3379027312}" = PASW Statistics 18
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.2
"{DB780B85-B4B5-4864-A49C-9B706B169C93}" = TIPCI
"{DEE88727-779B-47A9-ACEF-F87CA5F92A65}" = ScanSoft OmniPage SE 4
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}" = Uniblue RegistryBooster 2009
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EDD5DA26-1D0A-4AF4-9B7C-E21ADD578A96}" = ESET Smart Security
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FC906D5C-91F9-4DA4-A765-6DCBB669F317}" = Sony Ericsson PC Suite
"7-Zip" = 7-Zip 9.12 beta
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BSPlayer1" = BS.Player
"Canon MP210 series User Registration" = Canon MP210 series User Registration
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_CPL30A5m" = HDAUDIO Soft Data Fax Modem with SmartCP
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"DVD X Player 5.4 Professional_is1" = DVD X Player 5.4 Professional
"ESET Online Scanner" = ESET Online Scanner v3
"Exact Audio Copy" = Exact Audio Copy 0.95b4
"foobar2000" = foobar2000 v0.9.6.9
"Foxit PDF Editor" = Foxit PDF Editor
"Foxit Reader" = Foxit Reader
"HP Photo & Imaging" = HP Image Zone 4.7
"Inkscape" = Inkscape 0.47
"InstallShield_{DB780B85-B4B5-4864-A49C-9B706B169C93}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.0.0 (Full)
"Lotus Turbo Challenge_is1" = Lotus Turbo Challenge
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Silverlight" = Microsoft Silverlight
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"Nero8Lite_is1" = Nero 8 Micro
"NVIDIA Drivers" = NVIDIA Drivers
"PowerISO" = PowerISO
"R for Windows 2.11.0_is1" = R for Windows 2.11.0
"RocketDock_is1" = RocketDock 1.3.5
"SopCast" = SopCast 3.2.4
"Spyware Doctor" = Spyware Doctor 6.1
"SuperLab_is1" = SuperLab 4.0.7b
"TVAnts 1.0" = TVAnts 1.0
"Uniblue RegistryBooster 2009" = Uniblue RegistryBooster 2009
"Uniblue SpeedUpMyPC 2009" = Uniblue SpeedUpMyPC 2009
"VLC media player" = VLC media player 1.0.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp" = Winamp
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{BDE4805C-4A64-4C6D-8547-5B7DB885C65F}_is1" = Daniel's XL Toolbox 2.70
"JabRef" = JabRef
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 26.6.2010 3:25:07 | Computer Name = PAMETNO_MOJE | Source = ESENT | ID = 485
Description = wlcomm (3428) An attempt to delete the file "C:\Documents and Settings\Administrator\Local
Settings\Application Data\Microsoft\Windows Live Contacts\{aa360172-e16a-45c8-b180-e31e079ef2fa}\DBStore\tempedb.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

Error - 27.6.2010 5:15:18 | Computer Name = PAMETNO_MOJE | Source = LoadPerf | ID = 3006
Description = Unable to read the performance counter strings of the 01a language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 28.6.2010 3:54:19 | Computer Name = PAMETNO_MOJE | Source = Application Hang | ID = 1002
Description = Hanging application bsplayer.exe, version 2.1.6.945, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 15.7.2010 10:33:35 | Computer Name = PAMETNO_MOJE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 15.7.2010 10:33:35 | Computer Name = PAMETNO_MOJE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 15.7.2010 10:35:09 | Computer Name = PAMETNO_MOJE | Source = Application Error | ID = 1000
Description = Faulting application update.exe, version 5.5.0.53, faulting module
update.exe, version 5.5.0.53, fault address 0x003bf20f.

Error - 15.7.2010 10:41:27 | Computer Name = PAMETNO_MOJE | Source = Application Error | ID = 1000
Description = Faulting application update.exe, version 5.5.0.53, faulting module
update.exe, version 5.5.0.53, fault address 0x003bf20f.

Error - 15.7.2010 13:57:29 | Computer Name = PAMETNO_MOJE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3828, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 15.7.2010 16:29:01 | Computer Name = PAMETNO_MOJE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 15.7.2010 16:29:01 | Computer Name = PAMETNO_MOJE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

[ System Events ]
Error - 15.7.2010 17:38:37 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 15.7.2010 17:38:37 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 15.7.2010 17:38:37 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 15.7.2010 17:38:37 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 15.7.2010 17:39:08 | Computer Name = PAMETNO_MOJE | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .


< End of report >

Thank you!

descriptionSolvedRe: Protector.I virus

more_horiz
Hi ghoo and Welcome to GeekPolice!



Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.
---------------------------------------------------------------------------------------------



  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Protector.I virus CfRC_screen_1


    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.

    Protector.I virus CfRC_screen_2

    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------





descriptionSolvedRe: Protector.I virus

more_horiz
Hi! Thanks a lot for the answer!
This is the combo log, but as I haven't been connected to the internet at the time I was running it, it didn't download the Microsoft Windows Recovery Console. I downloaded it after...hope I didn't mess up something...

ComboFix 10-07-15.03 - Administrator 16.07.2010 9:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.1022.608 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\lsprst7.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdatej+|Cv+@J:NGD_DQ{zcxLJS@P7zB1$zWU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXuhdZ$hdZ$hdZ$hdZ$hkcxLJS@GD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|Cvupdate.com
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0053188.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-15 13:56 . 2010-07-15 13:56 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 13:56 . 2010-07-15 13:56 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\msvcp71.dll
2010-07-15 13:56 . 2010-07-15 13:56 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\jmc.dll
2010-07-15 13:56 . 2010-07-15 13:56 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\msvcr71.dll
2010-07-15 13:55 . 2010-07-15 13:55 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1cf0d209-n\decora-sse.dll
2010-07-15 13:55 . 2010-07-15 13:55 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1cf0d209-n\decora-d3d.dll
2010-07-15 13:55 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 21:51 . 2010-07-11 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\iFood
2010-07-11 21:50 . 2010-07-11 21:50 8854 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\Uninstall_ICEA_Check_82883B233CB947C190C3463C7B319F08.exe
2010-07-11 21:50 . 2010-07-11 21:50 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\ARPPRODUCTICON.exe
2010-07-11 21:50 . 2010-07-11 21:50 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\iFood.EXE1112_82883B233CB947C190C3463C7B319F08.EXE
2010-07-11 21:50 . 2010-07-11 21:50 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\iFood.EXE111_82883B233CB947C190C3463C7B319F08.EXE
2010-07-11 21:50 . 2010-07-11 21:50 -------- d-----w- c:\program files\eucoSoftware
2010-06-28 07:59 . 2010-06-28 07:59 -------- d-----w- c:\program files\Winamp Detect
2010-06-18 13:20 . 2010-06-18 15:13 -------- d-----w- c:\program files\BBC.The.Human.Body.1to7DVDRip
2010-06-16 11:48 . 2008-06-20 11:51 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 08:08 . 2009-11-15 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-16 08:07 . 2009-11-15 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-07-15 20:29 . 2009-11-15 23:19 -------- d-----w- c:\program files\ESET
2010-07-15 17:57 . 2010-06-01 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-15 13:55 . 2009-11-15 21:13 -------- d-----w- c:\program files\Java
2010-06-28 21:10 . 2009-11-17 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-06-28 08:01 . 2009-11-25 17:21 -------- d-----w- c:\program files\Winamp
2010-06-23 13:16 . 2010-04-14 16:37 -------- d-----w- c:\program files\Foxit Software
2010-06-17 08:39 . 2009-11-15 21:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-13 10:31 . 2010-06-13 10:31 -------- d-----w- c:\program files\Common Files\Skype
2010-06-11 19:26 . 2009-12-19 12:38 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-06-11 19:26 . 2010-06-11 19:26 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared
2010-06-11 19:25 . 2010-06-11 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2010-06-11 19:25 . 2009-12-19 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-06-04 16:15 . 2010-06-01 22:51 -------- d-----w- c:\program files\Spyware Doctor
2010-06-01 22:54 . 2010-06-01 22:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-01 22:51 . 2010-06-01 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-01 22:51 . 2010-06-01 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-06-01 22:42 . 2010-05-18 21:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2010-06-01 22:37 . 2010-06-01 22:37 -------- d-----w- c:\program files\PC Tools Spyware Doctor 6.1.0.448
2010-05-28 21:45 . 2009-12-19 12:38 -------- d-----w- c:\program files\Sony Ericsson
2010-05-27 14:03 . 2009-11-16 00:36 27184 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 10:33 . 2010-05-26 15:23 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\program files\Common Files\SPSS
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\program files\Common Files\SPSSInc
2010-05-26 15:20 . 2010-05-26 15:20 -------- d-----w- c:\program files\SPSSInc
2010-05-26 15:20 . 2010-05-26 15:20 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-05-25 09:19 . 2010-05-18 22:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 09:04 . 2010-05-18 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-05-25 09:02 . 2010-05-25 09:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2010-05-25 09:02 . 2010-05-18 21:10 -------- d-----w- c:\program files\Uniblue
2010-05-18 21:41 . 2010-05-18 21:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2010-05-18 21:18 . 2010-05-18 21:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2010-05-18 09:24 . 2010-05-12 20:45 715098 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\AddIns\XLToolbox\uninstall\unins000.exe
2010-05-02 10:04 . 2009-02-09 14:08 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:43 . 2010-04-27 15:36 68476 ----a-w- c:\windows\hpoins05.dat
2010-04-20 05:37 . 2008-05-27 20:29 285824 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-5-4 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2.6.2010 0:53 206256]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6.2.2009 15:23 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9.4.2009 16:19 731840]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [19.12.2009 15:24 13224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2.6.2010 0:52 348824]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.11.2009 9:40 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b5wyzke0.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
AddRemove-Lotus Turbo Challenge_is1 - c:\lotus turbo challenge\unins000.exe
AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F} - c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}\DriverScanner_Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 10:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-287218729-515967899-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,83,92,aa,3b,cc,d3,4a,9e,c9,4a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,83,92,aa,3b,cc,d3,4a,9e,c9,4a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ASTSRV.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-07-16 10:11:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-16 08:11

Pre-Run: 3.340.050.432 bytes free
Post-Run: 5.172.912.128 bytes free

- - End Of File - - 2CA2A44CA96F1A5ED16278003D149275

This is the log after downloading the Microsoft Windows Recovery Console:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

I didn't rerun the malware scanning.

descriptionSolvedRe: Protector.I virus

more_horiz
Hi

cdrom.sys was found and disinfected. That's is a good thing. You can connect to the Internet now.

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.




descriptionSolvedRe: Protector.I virus

more_horiz
01:01:31:765 3088 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
01:01:31:765 3088 ================================================================================
01:01:31:765 3088 SystemInfo:

01:01:31:765 3088 OS Version: 5.1.2600 ServicePack: 3.0
01:01:31:765 3088 Product type: Workstation
01:01:31:765 3088 ComputerName: PAMETNO_MOJE
01:01:31:765 3088 UserName: Administrator
01:01:31:765 3088 Windows directory: C:\WINDOWS
01:01:31:765 3088 System windows directory: C:\WINDOWS
01:01:31:765 3088 Processor architecture: Intel x86
01:01:31:765 3088 Number of processors: 2
01:01:31:765 3088 Page size: 0x1000
01:01:31:765 3088 Boot type: Normal boot
01:01:31:765 3088 ================================================================================
01:01:32:187 3088 Initialize success
01:01:32:187 3088
01:01:32:187 3088 Scanning Services ...
01:01:32:265 3088 Raw services enum returned 368 services
01:01:32:281 3088
01:01:32:281 3088 Scanning Drivers ...
01:01:33:953 3088 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:01:34:000 3088 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
01:01:34:062 3088 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
01:01:34:093 3088 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
01:01:34:171 3088 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
01:01:34:234 3088 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:01:34:265 3088 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:01:34:312 3088 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:01:34:343 3088 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:01:34:468 3088 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:01:34:484 3088 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:01:34:546 3088 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:01:34:578 3088 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:01:34:640 3088 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
01:01:34:687 3088 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:01:34:718 3088 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
01:01:34:750 3088 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
01:01:34:796 3088 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
01:01:34:843 3088 CVPNDRVA (34c345aaf390c12ae6e51b75198e8564) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
01:01:34:890 3088 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
01:01:34:937 3088 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
01:01:35:093 3088 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
01:01:35:125 3088 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:01:35:171 3088 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
01:01:35:203 3088 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
01:01:35:234 3088 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
01:01:35:343 3088 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
01:01:35:406 3088 eamon (3b2e8f97b6869c29da023ee75bf585d5) C:\WINDOWS\system32\DRIVERS\eamon.sys
01:01:35:437 3088 ehdrv (4fad054cbcaa296be7bd2cb77da9d9b4) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
01:01:35:468 3088 epfw (63c9dfc27c401bff6188a1ca68d0abb0) C:\WINDOWS\system32\DRIVERS\epfw.sys
01:01:35:546 3088 Epfwndis (3b47010b2425b69826004767e59045ba) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
01:01:35:640 3088 epfwtdi (c26091451feae08530446f293064ba42) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
01:01:35:703 3088 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
01:01:35:781 3088 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
01:01:35:828 3088 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
01:01:35:843 3088 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
01:01:35:875 3088 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
01:01:35:937 3088 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
01:01:35:953 3088 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:01:35:968 3088 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:01:36:031 3088 ggflt (007aea2e06e7cef7372e40c277163959) C:\WINDOWS\system32\DRIVERS\ggflt.sys
01:01:36:140 3088 ggsemc (c73de35960ca75c5ab4ae636b127c64e) C:\WINDOWS\system32\DRIVERS\ggsemc.sys
01:01:36:250 3088 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:01:36:312 3088 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
01:01:36:390 3088 HdAudAddService (34af2366ae5ba06626b023c81369039e) C:\WINDOWS\system32\drivers\CHDAud.sys
01:01:36:453 3088 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
01:01:36:546 3088 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:01:36:609 3088 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
01:01:36:687 3088 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
01:01:36:718 3088 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
01:01:36:781 3088 HSFHWAZL (89e256c5f5346be265d9f86ac8625d4f) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
01:01:36:890 3088 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
01:01:37:125 3088 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
01:01:37:312 3088 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:01:37:437 3088 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\WINDOWS\system32\DRIVERS\iaStor.sys
01:01:37:562 3088 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:01:37:625 3088 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
01:01:37:640 3088 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:01:37:671 3088 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
01:01:37:734 3088 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:01:37:765 3088 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:01:37:796 3088 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:01:37:812 3088 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:01:37:859 3088 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:01:37:906 3088 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:01:38:000 3088 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:01:38:078 3088 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:01:38:140 3088 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
01:01:38:187 3088 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
01:01:38:234 3088 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
01:01:38:296 3088 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
01:01:38:359 3088 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:01:38:437 3088 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
01:01:38:531 3088 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:01:38:593 3088 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:01:38:625 3088 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
01:01:38:656 3088 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:01:38:734 3088 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:01:38:781 3088 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
01:01:38:828 3088 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:01:38:890 3088 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:01:38:968 3088 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
01:01:39:062 3088 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:01:39:125 3088 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
01:01:39:156 3088 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
01:01:39:203 3088 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:01:39:281 3088 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
01:01:39:296 3088 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:01:39:328 3088 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:01:39:390 3088 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:01:39:437 3088 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:01:39:515 3088 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
01:01:39:546 3088 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:01:39:578 3088 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:01:39:734 3088 NETw4x32 (d57258165aba8162de8e29d71487fc4b) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
01:01:39:875 3088 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
01:01:39:890 3088 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
01:01:39:937 3088 Ntfs (ae8cad8f28db13b515a68510a539b0b8) C:\WINDOWS\system32\drivers\Ntfs.sys
01:01:40:125 3088 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:01:40:390 3088 nv (88d8f8d4c3243e0bb0ed57496868e52e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
01:01:40:562 3088 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:01:40:593 3088 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:01:40:625 3088 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
01:01:40:671 3088 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
01:01:40:718 3088 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
01:01:40:750 3088 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:01:40:781 3088 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
01:01:40:906 3088 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
01:01:40:953 3088 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
01:01:41:015 3088 PCTCore (d302a59e6d1842a201930928a5bad68b) C:\WINDOWS\system32\drivers\PCTCore.sys
01:01:41:125 3088 PhilCam8116 (8754763a924639b9d07d4c8ea9990f1e) C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
01:01:41:171 3088 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:01:41:187 3088 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
01:01:41:234 3088 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:01:41:250 3088 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:01:41:343 3088 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:01:41:390 3088 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:01:41:468 3088 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:01:41:500 3088 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:01:41:531 3088 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:01:41:609 3088 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:01:41:656 3088 rdpdr (c694a927eb7c354f7ae97955043a9641) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:01:41:687 3088 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys
01:01:41:734 3088 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:01:41:765 3088 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
01:01:41:812 3088 SCDEmu (23aa53256ce05b975398b78a33474265) C:\WINDOWS\system32\drivers\SCDEmu.sys
01:01:41:890 3088 sdbus (d4efa70468110dbabb9bfe62e63afa68) C:\WINDOWS\system32\DRIVERS\sdbus.sys
01:01:41:968 3088 SE27bus (59a9eb4073a39895af314780d0a032fa) C:\WINDOWS\system32\DRIVERS\SE27bus.sys
01:01:42:062 3088 SE27mdfl (d53e7e53107d1796825540129f8fe89f) C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
01:01:42:109 3088 SE27mdm (2afa2f65a6e91da5b5070e734769827e) C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
01:01:42:140 3088 SE27mgmt (5a33a8d7b44c7bd8abe248b4dcd1ff3c) C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys
01:01:42:171 3088 se27nd5 (bb30139683bbf3ee89ec931393d9335c) C:\WINDOWS\system32\DRIVERS\se27nd5.sys
01:01:42:203 3088 SE27obex (5da6ff71e94b9134ddd094ebb09f05e6) C:\WINDOWS\system32\DRIVERS\SE27obex.sys
01:01:42:265 3088 se27unic (4d54a9d7c22157ab3d2442e8bcf5ecd2) C:\WINDOWS\system32\DRIVERS\se27unic.sys
01:01:42:312 3088 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:01:42:343 3088 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
01:01:42:375 3088 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:01:42:437 3088 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:01:42:546 3088 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
01:01:42:625 3088 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
01:01:42:703 3088 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
01:01:42:765 3088 Srv (30efed0c77d59ae0cacb0b5c756767ed) C:\WINDOWS\system32\DRIVERS\srv.sys
01:01:42:828 3088 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:01:42:875 3088 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:01:42:984 3088 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
01:01:43:031 3088 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
01:01:43:109 3088 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:01:43:156 3088 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:01:43:187 3088 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
01:01:43:281 3088 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:01:43:359 3088 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\WINDOWS\system32\drivers\tifm21.sys
01:01:43:421 3088 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
01:01:43:546 3088 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
01:01:43:609 3088 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
01:01:43:703 3088 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:01:43:765 3088 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:01:43:781 3088 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:01:43:843 3088 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
01:01:43:921 3088 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:01:43:984 3088 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:01:44:000 3088 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:01:44:046 3088 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
01:01:44:093 3088 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
01:01:44:187 3088 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
01:01:44:250 3088 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:01:44:312 3088 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
01:01:44:453 3088 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
01:01:44:531 3088 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
01:01:44:656 3088 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
01:01:44:703 3088 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
01:01:44:750 3088 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:01:44:843 3088 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:01:44:890 3088 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:01:44:890 3088
01:01:44:890 3088 Completed
01:01:44:906 3088
01:01:44:906 3088 Results:
01:01:44:906 3088 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:01:44:906 3088 File objects infected / cured / cured on reboot: 0 / 0 / 0
01:01:44:906 3088
01:01:44:906 3088 KLMD(ARK) unloaded successfully

descriptionSolvedRe: Protector.I virus

more_horiz
Smile we are getting closer. Good job you done there


Check a file/files
Use your browser to go here at Virustotal website
Click the Browse button and then navigate to
c:\windows\system32\sysprs7.dll


then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Next

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:




Code:

KILLALL::

RegLock::
[HKEY_USERS\S-1-5-21-507921405-287218729-515967899-500\Software\Microsoft\Internet Explorer\User Preferences]
Registry::
[HKEY_USERS\S-1-5-21-1220945662-1202660629-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=-
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=-


Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



Protector.I virus Cfscriptb4



This will start ComboFix again. It may ask to reboot. This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.




descriptionSolvedRe: Protector.I virus

more_horiz
Hi! Thanks a lot for your availability!
I've been trying to connect to that site, but firefox says that it has a problem loading the page, I've tried to disable the firewall but it didn't help. Maybe the site is unavailable at the moment, I'll try again later...

Here is the log:

ComboFix 10-07-15.03 - Administrator 17.07.2010 10:32:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.1022.549 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-15 13:56 . 2010-07-15 13:56 -------- d-----w- c:\program files\Common Files\Java
2010-07-15 13:56 . 2010-07-15 13:56 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\msvcp71.dll
2010-07-15 13:56 . 2010-07-15 13:56 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\jmc.dll
2010-07-15 13:56 . 2010-07-15 13:56 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e906963-n\msvcr71.dll
2010-07-15 13:55 . 2010-07-15 13:55 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1cf0d209-n\decora-sse.dll
2010-07-15 13:55 . 2010-07-15 13:55 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1cf0d209-n\decora-d3d.dll
2010-07-15 13:55 . 2010-06-22 02:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-11 21:51 . 2010-07-11 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\iFood
2010-07-11 21:50 . 2010-07-11 21:50 8854 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\Uninstall_ICEA_Check_82883B233CB947C190C3463C7B319F08.exe
2010-07-11 21:50 . 2010-07-11 21:50 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\ARPPRODUCTICON.exe
2010-07-11 21:50 . 2010-07-11 21:50 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\iFood.EXE1112_82883B233CB947C190C3463C7B319F08.EXE
2010-07-11 21:50 . 2010-07-11 21:50 40960 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{82883B23-3CB9-47C1-90C3-463C7B319F08}\iFood.EXE111_82883B233CB947C190C3463C7B319F08.EXE
2010-07-11 21:50 . 2010-07-11 21:50 -------- d-----w- c:\program files\eucoSoftware
2010-06-28 07:59 . 2010-06-28 07:59 -------- d-----w- c:\program files\Winamp Detect
2010-06-18 13:20 . 2010-06-18 15:13 -------- d-----w- c:\program files\BBC.The.Human.Body.1to7DVDRip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 08:45 . 2009-11-15 22:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-17 08:45 . 2009-11-15 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-07-16 22:57 . 2010-05-18 22:09 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-15 20:29 . 2009-11-15 23:19 -------- d-----w- c:\program files\ESET
2010-07-15 17:57 . 2010-06-01 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-15 13:55 . 2009-11-15 21:13 -------- d-----w- c:\program files\Java
2010-06-28 21:10 . 2009-11-17 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-06-28 08:01 . 2009-11-25 17:21 -------- d-----w- c:\program files\Winamp
2010-06-23 13:16 . 2010-04-14 16:37 -------- d-----w- c:\program files\Foxit Software
2010-06-17 08:39 . 2009-11-15 21:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-13 10:31 . 2010-06-13 10:31 -------- d-----w- c:\program files\Common Files\Skype
2010-06-11 19:26 . 2009-12-19 12:38 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-06-11 19:26 . 2010-06-11 19:26 -------- d-----w- c:\program files\Common Files\Sony Ericsson Shared
2010-06-11 19:25 . 2010-06-11 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2010-06-11 19:25 . 2009-12-19 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2010-06-04 16:15 . 2010-06-01 22:51 -------- d-----w- c:\program files\Spyware Doctor
2010-06-01 22:54 . 2010-06-01 22:52 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-01 22:51 . 2010-06-01 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-01 22:51 . 2010-06-01 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-06-01 22:42 . 2010-05-18 21:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2010-06-01 22:37 . 2010-06-01 22:37 -------- d-----w- c:\program files\PC Tools Spyware Doctor 6.1.0.448
2010-05-28 21:45 . 2009-12-19 12:38 -------- d-----w- c:\program files\Sony Ericsson
2010-05-27 14:03 . 2009-11-16 00:36 27184 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-27 10:33 . 2010-05-26 15:23 186 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\program files\Common Files\SPSS
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS
2010-05-26 15:21 . 2010-05-26 15:21 -------- d-----w- c:\program files\Common Files\SPSSInc
2010-05-26 15:20 . 2010-05-26 15:20 -------- d-----w- c:\program files\SPSSInc
2010-05-26 15:20 . 2010-05-26 15:20 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-05-25 09:04 . 2010-05-18 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-05-25 09:02 . 2010-05-25 09:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2010-05-25 09:02 . 2010-05-18 21:10 -------- d-----w- c:\program files\Uniblue
2010-05-18 21:41 . 2010-05-18 21:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2010-05-18 21:18 . 2010-05-18 21:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2010-05-18 09:24 . 2010-05-12 20:45 715098 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\AddIns\XLToolbox\uninstall\unins000.exe
2010-05-02 10:04 . 2009-02-09 14:08 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:43 . 2010-04-27 15:36 68476 ----a-w- c:\windows\hpoins05.dat
2010-04-20 05:37 . 2008-05-27 20:29 285824 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-07-16_08.06.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-17 08:39 . 2010-07-17 08:39 16384 c:\windows\temp\Perflib_Perfdata_420.dat
+ 2008-04-14 15:00 . 2010-07-17 08:43 72238 c:\windows\system32\perfc009.dat
- 2008-04-14 15:00 . 2010-07-16 07:58 72238 c:\windows\system32\perfc009.dat
+ 2008-04-14 15:00 . 2010-07-17 08:43 444362 c:\windows\system32\perfh009.dat
- 2008-04-14 15:00 . 2010-07-16 07:58 444362 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-5-4 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2.6.2010 0:53 206256]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.11.2009 9:40 717296]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6.2.2009 15:23 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9.4.2009 16:19 731840]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [19.12.2009 15:24 13224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2.6.2010 0:52 348824]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\b5wyzke0.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 10:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys splw.sys >>UNKNOWN [0x86F72938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7676f28
\Driver\ACPI -> ACPI.sys @ 0xf73d1cb8
\Driver\atapi -> atapi.sys @ 0xf7348b40
\Driver\iaStor -> iaStor.sys @ 0xf72ae0b0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf712cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf7139b21
SendHandler -> NDIS.sys @ 0xf711787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ASTSRV.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-07-17 10:47:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 08:47

Pre-Run: 5.137.190.912 bytes free
Post-Run: 5.132.840.960 bytes free

- - End Of File - - 09842EE8EDFB83A7D4BF7B8901CFCF22

descriptionSolvedRe: Protector.I virus

more_horiz
I check that file at Virustotal and it's fine. How are things now?

Protector.I virus Bf_new Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

descriptionSolvedRe: Protector.I virus

more_horiz
Hi!
20 min a go nod32 reported another attack of this protector.I virus but this time it has cleaned it by quarantine.

Here is the log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4321

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17.7.2010 13:06:01
mbam-log-2010-07-17 (13-06-01).txt

Scan type: Quick scan
Objects scanned: 123760
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionSolvedRe: Protector.I virus

more_horiz
I know you have ESET virus program installed. But I like to look at a Online Scanner.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.


  • Please go here then click on: Protector.I virus EOLS1
  • Select the option YES, I accept the Terms of Use then click on: Protector.I virus EOLS2
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:


    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

  • Now click on: Protector.I virus EOLS3
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Protector.I virus EOLS4
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

descriptionSolvedRe: Protector.I virus

more_horiz
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=00d5a2592e7fe645b31cadcf8015844a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-17 02:41:12
# local_time=2010-07-17 04:41:12 (+0100, Central European Daylight Time)
# country="Croatia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8202 39157141 100 100 171600 40086720 0 0
# scanned=63868
# found=10
# cleaned=0
# scan_time=4755
# nod_component=V3 Build:0x30000000
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP227\A0053045.exe multiple threats 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0053198.exe Win32/HackAV.DD application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054229.exe Win32/HackAV.EH application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054230.exe Win32/HackAV.CY application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054231.exe Win32/HackAV.CY application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054232.exe Win32/HackAV.CW application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054233.exe Win32/HackAV.CW application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054234.exe Win32/HackAV.CW application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054235.exe Win32/HackAV.CW application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{07A9C310-B16A-4073-80C6-FCD7C78992D0}\RP228\A0054236.exe Win32/HackAV.CW application 00000000000000000000000000000000 I

descriptionSolvedRe: Protector.I virus

more_horiz
When we remove ComboFix. The above items will be flushed out.

Your Computer is Clean
Protector.I virus CLEAN-1


Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware


  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    Protector.I virus CF_Uninstall-1
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.


Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips


Protector.I virus 6567E80CC55576485246E130E48A9FA8






descriptionSolvedRe: Protector.I virus

more_horiz
I would like to thank you very very much! You've really saved me and my computer from a lot of trouble! I will check your advices and read throughout the forum to learn a bit more about safety on the internet!

Keep the good work!


descriptionSolvedRe: Protector.I virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum