[TULNUK]

Niisiis
On õnn omada läpakat millel kohe algusest peale vista peal.
Umbes nädal tagasi teatas Nod32, et tema meelest on minupoolt teadlikult installitud mafia.exe viirus. Saatsin nod`i pikalt ja keelasin tal antud faili blokeerida.
Peale seda algasid jamad, vahetasin antud exe faili välja (crackitud versiooni vastu) kuid see ei aidanud.
Arvuti käivitub, kõik startupis olevad asjad hakkavad tööle aga umbes 2 minuti jooksul jookseb mõni avatud programm täielikult kinni, aitab vaid nupust shut down ja uus start.
Hibernate või sleep põhjustavad iseenestliku crashi ja sinise ekraani.

Tegin nod32`ga full scani, aga tulemus oli null.
Mingit eraldi firewall`i ei kasuta, üldiselt imelikke meile ja lehti olen vältinud, mingit jura pole installinud.
Ad-aware`i vms lisaprogrammi ei kasuta.

Küsimus ongi nüüd, et millest probleemi lahendamist alustada?

tänan kes nõu ja ideedega aitavad

[Lord Ami]

http://taimar.pri.ee/spyware/hjt.php
http://www.arvutikaitse.ee/?p=665
Alusta HJT logi esitamisest ja SAS skännist.

[TULNUK]

Super antispyware crashis peale 6 tunnist scanni esialgu ära, proovin veel.
Hijack this:

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Hotkey Management\FuncKey.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey Management\FuncKey.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB76BD4F-20E8-494E-BCF0-99D164F37A5E}: NameServer = 194.126.115.18 194.126.101.34
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4700 bytes

[Lord Ami]

HJT tundub korras olevat
Viitsid tee Combofixi logi
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[TULNUK]

ComboFix 08-05-26.2 - Pärtel 2008-05-27 21:17:15.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1257.1.1033.18.1268 [GMT 3:00]
Running from: C:\Users\Pärtel\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 18:19 2,359,296 --sha-w C:\Users\Pärtel\NTUSER.DAT
2008-05-27 18:19 2,359,296 --sha-w C:\Users\Pärtel\NTUSER.DAT
2008-05-26 22:25 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 22:20 --------- d-----w C:\Users\Pärtel\AppData\Roaming\SUPERAntiSpyware.com
2008-05-26 22:20 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-05-26 22:20 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-26 22:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 05:06 --------- d-----w C:\Program Files\PowerArchiver
2008-05-24 20:15 2,880 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-24 18:08 13,072 ----a-w C:\Users\Pärtel\AppData\Roaming\nvModes.dat
2008-05-23 10:04 --------- d-----w C:\Program Files\Mafia
2008-05-23 09:32 --------- d-----w C:\Program Files\RealFlightG3
2008-05-19 07:48 --------- d-----w C:\Users\Pärtel\AppData\Roaming\Azureus
2008-05-15 19:38 --------- d-----w C:\Program Files\Azureus
2008-05-15 03:50 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 13:14 --------- d-----w C:\Users\Pärtel\AppData\Roaming\Winamp
2008-05-09 06:32 12,978 ----a-w C:\Users\Imbi\AppData\Roaming\nvModes.dat
2008-05-05 10:38 --------- d-----w C:\Program Files\FlashFXP
2008-04-26 09:47 --------- d-s---w C:\Users\Pärtel\AppData\Roaming\Microsoft
2008-04-20 11:23 --------- d-----w C:\Users\Pärtel\AppData\Roaming\Adobe
2008-04-14 16:51 --------- d-----w C:\Users\Pärtel\AppData\Roaming\Google
2008-04-12 14:05 --------- d-----w C:\Program Files\FlashGet
2008-04-08 17:18 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-08 17:14 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-04-08 17:14 --------- d-----w C:\Users\Pärtel\AppData\Roaming\DAEMON Tools
2008-04-08 16:48 --------- d-----w C:\Users\Pärtel\AppData\Roaming\GetRightToGo
2008-04-08 16:48 --------- d-----w C:\Program Files\Parallel Port Joystick
2008-04-08 16:40 --------- d-----w C:\Program Files\FMS
2008-04-08 16:26 --------- d-----w C:\Program Files\SmartPropoPlus
2008-04-05 18:28 --------- d-----w C:\Program Files\Joost
2008-03-30 12:49 --------- d-----w C:\Users\Pärtel\AppData\Roaming\Skype
2008-03-28 18:45 --------- d-----w C:\Program Files\Tests de servos
2008-03-11 19:27 174 --sha-w C:\Program Files\desktop.ini
2008-03-11 19:18 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-03-11 19:18 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-03-11 19:18 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-03-11 19:17 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-11 19:17 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-11 19:17 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-11 19:17 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-11 19:17 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-11 19:17 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-11 19:17 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-11 19:17 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-11 19:17 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-11 19:15 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-11 19:14 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-03-11 19:14 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-03-11 19:07 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-03-11 19:06 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-11 19:06 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-11 19:06 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-11 19:06 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-11 19:05 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-03-11 19:05 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-03-11 19:05 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-03-11 19:05 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-03-11 19:05 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-03-11 19:05 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-03-11 19:04 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-03-11 19:04 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-03-11 19:03 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-03-11 19:02 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-03-11 19:02 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-03-11 19:01 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-11 19:01 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-11 19:01 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-03-11 19:01 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-03-11 19:00 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-03-11 19:00 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-03-11 19:00 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-03-11 18:59 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-03-11 18:59 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-03-11 18:59 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-03-11 18:59 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-03-11 18:59 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-03-11 18:59 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-03-11 18:59 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-03-11 18:59 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-03-11 18:59 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-03-11 18:58 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-03-11 18:58 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-03-11 18:55 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-03-11 18:55 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-03-11 18:55 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-03-11 18:53 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-03-11 18:52 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-03-11 18:52 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-03-11 18:51 633,856 ----a-w C:\Windows\System32\user32.dll
2008-03-11 18:51 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-03-11 18:48 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-03-11 18:48 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-03-11 17:52 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-03-11 17:52 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-03-11 17:52 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-03-11 17:52 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-03-11 17:40 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-03-11 17:40 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-03-11 17:40 33,624 ----a-w C:\Windows\System32\wups.dll
2008-03-11 17:39 31,232 ----a-w C:\Windows\System32\wuapp.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-11 21:55 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15 221184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 15:35 125440]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-10 15:47 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-10 15:47 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 12:57 3784704 C:\Windows\RtHDVCpl.exe]
"PowerManager"="C:\Program Files\Power Manager\PM.exe" [2006-11-06 21:19 26112]
"FuncKey"="C:\Program Files\Hotkey Management\FuncKey.exe" [2006-11-23 17:28 20480]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-02-26 21:46 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2006-12-10 15:47 90191 C:\Windows\system32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1005708419-4094569361-2739184535-1000]
"EnableNotificationsRef"=dword:00000003

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{62BD1F79-662F-45AE-B47C-85BD0B030A28}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{E3E057B0-2403-4E31-A632-0CAF04620E8A}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{333CE1B7-3C85-4156-A1A5-1252081F32E8}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{3CE746A0-52CF-4A33-8484-D8D799A1DD53}C:\\program files\\trackmania united\\tmunited.exe"= UDP:C:\program files\trackmania united\tmunited.exe:TmUnited
"UDP Query User{B6683AA1-D499-483D-AEBE-76FDBC442021}C:\\program files\\trackmania united\\tmunited.exe"= TCP:C:\program files\trackmania united\tmunited.exe:TmUnited
"TCP Query User{65026092-F81E-4FAD-8D17-BAF73E2837F5}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{9E321648-6A4A-44E8-8C6B-B2A9B1FCFBF0}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{BB13975F-1A3A-4F78-861F-7F87EAE71813}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{822CB1E3-97BD-4505-A04E-4A471FB0FECB}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{D1822059-6E5D-4701-8EBD-554F29D07510}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CB3C7EF1-D89F-4993-82BC-B66DC91A24C0}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F7546000-F3DB-4A80-B792-48B2974DCC43}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9FE6C9CE-5C5B-4429-BFAB-CA4EA329B1EA}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{08C303F5-ADA3-49FE-A04E-0E381BF76E0A}C:\\users\\pärtel\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\zupufs4t\\eserver-16.40.i686-win32[1].exe"= UDP:C:\users\pärtel\appdata\local\microsoft\windows\temporary internet files\content.ie5\zupufs4t\eserver-16.40.i686-win32[1].exe:eserver-16.40.i686-win32[1].exe
"UDP Query User{10BDC047-A2B5-4C8A-83E4-D9EC0599AD9A}C:\\users\\pärtel\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\zupufs4t\\eserver-16.40.i686-win32[1].exe"= TCP:C:\users\pärtel\appdata\local\microsoft\windows\temporary internet files\content.ie5\zupufs4t\eserver-16.40.i686-win32[1].exe:eserver-16.40.i686-win32[1].exe
"TCP Query User{C7AE61DA-FAA8-4063-A5A6-6DD0F4888AAD}C:\\program files\\realflightg3\\realflight.exe"= UDP:C:\program files\realflightg3\realflight.exe:Radio Control Simulator
"UDP Query User{617A8886-BC49-42B8-BB71-351D475BD27E}C:\\program files\\realflightg3\\realflight.exe"= TCP:C:\program files\realflightg3\realflight.exe:Radio Control Simulator
"TCP Query User{222BDF2E-86F6-4F70-A100-A65F77F5EBA5}C:\\program files\\joost\\xulrunner\\tvprunner.exe"= Disabled:UDP:C:\program files\joost\xulrunner\tvprunner.exe:tvprunner
"UDP Query User{59132D2D-3288-458F-B53F-D3A2BD0E3CD0}C:\\program files\\joost\\xulrunner\\tvprunner.exe"= Disabled:TCP:C:\program files\joost\xulrunner\tvprunner.exe:tvprunner

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-01-30 13:23]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 09:44]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\Windows\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
R3 PPortJoystick;Parallel Port Joystick device driver;C:\Windows\system32\drivers\PPortJoy.sys [2004-10-24 08:11]
R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\Windows\system32\DRIVERS\sis163u.sys [2007-01-25 15:16]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\Windows\system32\regedt32.exe [2006-11-02 12:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92ed4764-058f-11dd-a4ef-00140b328f79}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Readme.txt

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 04:32:13 C:\Windows\Tasks\User_Feed_Synchronization-{2477131D-C580-47AC-BE5A-6E4883049B5F}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 21:19:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 21:20:05
ComboFix-quarantined-files.txt 2008-05-27 18:19:53
ComboFix2.txt 2008-05-27 18:12:35

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

204 --- E O F --- 2008-05-23 10:29:12

[mightythor]

[Lord Ami]

[TULNUK]

Imelik, viimasel kahel päeval pole nagu tunda andnud mingi kokkujooksmine vms, samas hibernate ja sleep lõppesid ikkagi crashiga.
Keegi siit foorumist märkis kuskil mängude teemas sarnaseid probleeme mis minulgi aga tema lahendas jamad uue win installiga.