Pomoć - izgleda da je virus

1

Pomoć - izgleda da je virus

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43:31, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\K-Lite Codec Pack\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\DOCUME~1\User\LOCALS~1\Temp\yyy20403.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~tmpb.exe
C:\Program Files\WinZip32\WZQKPICK.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~tmpc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\User\Desktop\kkkkkk\TR3.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.freeze.com/?AcquisitionID=4aa809b9-2824-.....=&ipc=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCCBHO.CPCCBHO - {22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} - C:\Program Files\Winferno\PC Confidential\PCCBHO.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Yamaha DS-XG Driver] C:\WINDOWS\system32\vdriver.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\User\LOCALS~1\Temp\~tmpb.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\User\LOCALS~1\Temp\yyy20403.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip32\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - C:\Program Files\Winferno\PC Confidential\PCConfidential.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5666 bytes

Sinoć sam skidao neke slike i pokupio sam neki virus, ovo mi je prvi put da me virus zeza, tako da ne znam nista o ovome.
Jutros mi je prvo NOD prijavio da imam virus-trojanac u jednom folderu i taj sam folder obrisao i posle toga NOD u vezi toga nije nista prijavljivao. Ali ceo dan mi na taskbaru jedna ikonica pokazuje "You have a security problem" i svako 10 minuta mi iskoči prozorčić u kome me upozorava da mi je kompjuter mozda zarazen i da mogu izgubiti sve podatke i ... i pita me da li želim da instaliram VirusRemuver2008 da skenira kompjuter za malware.
Ja iako idem na cancel on izbaci još dva prozora i pocne nesto da skenira i onda NOD prijavi sledeće

Threat:
Win32/Adware. Antivirus2008 aplication trial/InstallAVg-77100106.exe


Priključen sam na ADSL - 512 Kbt/s

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Instalirao sam Spybot i prečistio ga i radi za sad ok!!!!

Posle sam video šta ste mi vi preporučili pa sam uradio i to, ali posle Spybot-a.

Nadam se da nisam nešto zabrljao.

Tu je izveštaj pa pogledajte


ComboFix 08-12-20.03 - User 2008-12-20 23:39:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1596 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\mpg4c32.dll
c:\windows\system32\r6uxWgY1.exe.a_a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WERFGH


((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 23:28 . 2008-12-20 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier
2008-12-20 22:44 . 2008-12-20 22:44 146 --a------ c:\windows\wininit.ini
2008-12-20 22:27 . 2008-12-20 22:27 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 22:27 . 2008-12-20 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 17:09 . 2008-12-20 17:09 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-20 16:37 . 2008-12-20 18:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-20 16:29 . 2008-12-20 16:29 50 --a------ c:\windows\MegaManager.INI
2008-12-20 15:50 . 2008-12-20 16:25 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-16 16:04 . 2008-12-17 22:39 <DIR> d-------- c:\program files\WinZip32
2008-12-14 17:57 . 2008-12-14 17:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:57 . 2008-12-14 17:57 1,409 --a------ c:\windows\QTFont.for
2008-12-05 21:33 . 2008-12-09 16:49 <DIR> d-------- c:\program files\XviD
2008-12-05 21:22 . 2008-12-05 21:22 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-05 21:22 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2008-12-05 21:22 . 2004-09-23 18:57 747,008 --a------ c:\windows\system32\Indeo4.qtx
2008-12-05 21:22 . 2002-12-20 12:40 675,328 --a------ c:\windows\system32\ir50_32.qtx
2008-12-05 21:22 . 2005-06-10 17:40 360,504 --a------ c:\windows\system32\QTPlugin.ocx
2008-12-05 21:22 . 2004-09-23 18:57 323,072 --a------ c:\windows\system32\QuickTime.cpl
2008-12-05 21:22 . 2002-11-08 20:04 225,280 --a------ c:\windows\system32\qtmlClient.dll
2008-12-05 21:22 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2008-12-05 21:22 . 2004-09-23 18:57 70,144 --a------ c:\windows\system32\QuickTimeCheck.ocx
2008-12-05 21:16 . 2008-12-05 21:16 848 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-05 21:01 . 2008-12-05 21:01 <DIR> d-------- c:\program files\Kodeci
2008-12-02 19:38 . 2008-12-02 19:38 <DIR> d-------- c:\program files\Mail me
2008-11-21 22:47 . 2008-11-21 22:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 22:47 . 2008-11-21 22:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 22:47 . 2008-11-21 22:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 22:46 . 2008-11-21 22:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 22:46 . 2008-11-21 22:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 22:44 . 2008-11-21 22:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 22:44 . 2008-11-21 22:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:44 --------- d-----w c:\program files\Free Offers from Freeze.com
2008-12-20 15:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 15:51 --------- d-----w c:\documents and settings\User\Application Data\DivX
2008-12-09 15:50 --------- d-----w c:\program files\DivX
2008-12-06 09:08 --------- d-----w c:\program files\Real Alternative
2008-12-05 20:32 --------- d-----w c:\program files\AngelPotion Video Codec V1
2008-12-05 20:22 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-02 18:38 737,280 ----a-w c:\windows\iun6002.exe
2008-11-27 16:41 --------- d-----w c:\program files\Google
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-19 19:23 --------- d-----w c:\program files\VLC player
2008-11-17 12:54 --------- d-----w c:\program files\FLV Player
2008-11-11 18:28 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 18:01 --------- d-----w c:\program files\YouTube Downloader
2008-11-07 14:50 --------- d-----w c:\documents and settings\User\Application Data\vlc
2008-11-07 14:49 --------- d-----w c:\program files\VideoLAN
2008-11-06 23:27 --------- d-----w c:\program files\Real
2008-11-06 23:27 --------- d-----w c:\program files\Common Files\Real
2008-11-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno
2008-11-06 23:23 --------- d-----w c:\program files\Winferno
2008-11-06 23:23 --------- d-----w c:\program files\Common Files\Winferno
2008-11-06 22:58 --------- d-----w c:\documents and settings\User\Application Data\bsplayer
2008-11-04 17:53 --------- d-----w c:\program files\Eset
2007-12-13 18:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-11-27 16:42 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-20 15:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 15:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 15:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 15:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 15:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-19 14:32 56 --sh--r c:\windows\system32\2D490C189A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-12-04 949376]
"TkBellExe"="c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" [2008-09-20 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip32\WZQKPICK.EXE [2008-12-16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.X264"= x264vfw.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-12-04 15424]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288cddf3-4add-11dd-a55e-0019dbd0ba74}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288cddf9-4add-11dd-a55e-0019dbd0ba74}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc3cc1a-a371-11dc-a47a-0019dbd0ba74}]
\Shell\AutoRun\command - F:\fooool.exe
\Shell\explore\Command - F:\fooool.exe
\Shell\open\Command - F:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398fdb0c-1f4c-11dd-a527-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39aa99ef-d659-11dc-a4c5-0019dbd0ba74}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a859a0-2004-11dd-a528-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a859b1-2004-11dd-a528-0019dbd0ba74}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d75d832-1638-11dd-a520-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56955b9c-ff20-11dc-a501-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6174c261-ad5f-11dc-a490-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8227b11a-c997-11dc-a4b4-0019dbd0ba74}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{985ac207-8b36-11dd-a5ca-0019dbd0ba74}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a995b618-a73a-11dc-a485-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a995b61a-a73a-11dc-a485-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9f201e1-c426-11dc-a4aa-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc2b656c-391b-11dd-a546-0019dbd0ba74}]
\Shell\AutoRun\command - G:\semo2x.exe
\Shell\explore\Command - G:\semo2x.exe
\Shell\open\Command - G:\semo2x.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be53063e-c740-11dc-a4af-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{becfe586-39ec-11dd-a547-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{becfe587-39ec-11dd-a547-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d204993e-ec45-11dc-a4e3-0019dbd0ba74}]
\Shell\Auto\command - G:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd54b60f-b137-11dc-a499-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd906a04-c6a4-11dc-a4ad-0019dbd0ba74}]
\Shell\Auto\command - H:\Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\At1.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At10.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At11.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At12.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At13.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At14.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At15.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At16.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At17.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At18.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At19.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At2.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At20.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At21.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At22.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At23.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\At24.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At3.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At4.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At5.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At6.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At7.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At8.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-19 c:\windows\Tasks\At9.job
- c:\windows\system32\r6uxWgY1.exe []

2008-12-20 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2008-04-01 14:10]

2008-12-20 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2008-12-20 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yamaha DS-XG Driver - c:\windows\system32\vdriver.exe
HKCU-Run-amva - c:\windows\system32\amvo.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fzy7oxrv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gogle.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-20 23:41:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Eset\nod32krn.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2008-12-20 23:43:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 22:43:23

Pre-Run: 6.890.463.232 bytes free
Post-Run: 6,832,271,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

311 --- E O F --- 2008-12-20 18:15:04

Dopuna: 21 Dec 2008 0:01

Sad mi je instaliran i Spybot i NOD, da ostavim tako ili da bršem nešto.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

DirLook::
c:\program files\Free Offers from Freeze.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288cddf3-4add-11dd-a55e-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{288cddf9-4add-11dd-a55e-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc3cc1a-a371-11dc-a47a-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398fdb0c-1f4c-11dd-a527-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39aa99ef-d659-11dc-a4c5-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a859a0-2004-11dd-a528-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a859b1-2004-11dd-a528-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d75d832-1638-11dd-a520-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56955b9c-ff20-11dc-a501-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6174c261-ad5f-11dc-a490-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8227b11a-c997-11dc-a4b4-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{985ac207-8b36-11dd-a5ca-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a995b618-a73a-11dc-a485-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a995b61a-a73a-11dc-a485-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc2b656c-391b-11dd-a546-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be53063e-c740-11dc-a4af-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{becfe586-39ec-11dd-a547-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{becfe587-39ec-11dd-a547-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d204993e-ec45-11dc-a4e3-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd54b60f-b137-11dc-a499-0019dbd0ba74}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd906a04-c6a4-11dc-a4ad-0019dbd0ba74}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Imas zarazene vise USB uredjaja (USB stickovi, flash diskovi, MP3 plejeri, mobilni koji se prikljucuje na USB, eksterni HD ili nesto slicno)

Skini sledeci program - http://amf.mycity.rs/personal/bobby/USB_blocker/usb_blocker.exe
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Uradio sam ovo prvo, uskoro ću i ovo za USB stickove.

ComboFix 08-12-20.03 - User 2008-12-21 12:04:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1507 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 11:02 . 2008-12-21 11:11 <DIR> d-------- c:\windows\LastGood
2008-12-21 11:02 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-21 11:02 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-21 11:02 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-20 23:28 . 2008-12-20 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier
2008-12-20 22:44 . 2008-12-20 22:44 146 --a------ c:\windows\wininit.ini
2008-12-20 22:27 . 2008-12-21 10:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 22:27 . 2008-12-21 10:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 17:09 . 2008-12-20 17:09 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-20 16:37 . 2008-12-21 11:14 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-20 16:29 . 2008-12-20 16:29 50 --a------ c:\windows\MegaManager.INI
2008-12-20 15:50 . 2008-12-20 16:25 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-16 16:04 . 2008-12-17 22:39 <DIR> d-------- c:\program files\WinZip32
2008-12-14 17:57 . 2008-12-14 17:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:57 . 2008-12-14 17:57 1,409 --a------ c:\windows\QTFont.for
2008-12-05 21:33 . 2008-12-09 16:49 <DIR> d-------- c:\program files\XviD
2008-12-05 21:22 . 2008-12-05 21:22 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-05 21:22 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2008-12-05 21:22 . 2004-09-23 18:57 747,008 --a------ c:\windows\system32\Indeo4.qtx
2008-12-05 21:22 . 2002-12-20 12:40 675,328 --a------ c:\windows\system32\ir50_32.qtx
2008-12-05 21:22 . 2005-06-10 17:40 360,504 --a------ c:\windows\system32\QTPlugin.ocx
2008-12-05 21:22 . 2004-09-23 18:57 323,072 --a------ c:\windows\system32\QuickTime.cpl
2008-12-05 21:22 . 2002-11-08 20:04 225,280 --a------ c:\windows\system32\qtmlClient.dll
2008-12-05 21:22 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2008-12-05 21:22 . 2004-09-23 18:57 70,144 --a------ c:\windows\system32\QuickTimeCheck.ocx
2008-12-05 21:16 . 2008-12-05 21:16 848 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-05 21:01 . 2008-12-05 21:01 <DIR> d-------- c:\program files\Kodeci
2008-12-02 19:38 . 2008-12-02 19:38 <DIR> d-------- c:\program files\Mail me
2008-11-21 22:47 . 2008-11-21 22:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 22:47 . 2008-11-21 22:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 22:47 . 2008-11-21 22:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 22:46 . 2008-11-21 22:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 22:46 . 2008-11-21 22:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 22:44 . 2008-11-21 22:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 22:44 . 2008-11-21 22:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:44 --------- d-----w c:\program files\Free Offers from Freeze.com
2008-12-20 15:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 15:51 --------- d-----w c:\documents and settings\User\Application Data\DivX
2008-12-09 15:50 --------- d-----w c:\program files\DivX
2008-12-06 09:08 --------- d-----w c:\program files\Real Alternative
2008-12-05 20:32 --------- d-----w c:\program files\AngelPotion Video Codec V1
2008-12-05 20:22 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-04 20:46 180,224 ----a-w c:\windows\system32\xvidvfw.dll
2008-12-02 18:38 737,280 ----a-w c:\windows\iun6002.exe
2008-11-27 16:41 --------- d-----w c:\program files\Google
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-19 19:23 --------- d-----w c:\program files\VLC player
2008-11-17 12:54 --------- d-----w c:\program files\FLV Player
2008-11-13 15:43 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-11 18:28 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 18:01 --------- d-----w c:\program files\YouTube Downloader
2008-11-07 14:50 --------- d-----w c:\documents and settings\User\Application Data\vlc
2008-11-07 14:49 --------- d-----w c:\program files\VideoLAN
2008-11-06 23:27 --------- d-----w c:\program files\Real
2008-11-06 23:27 --------- d-----w c:\program files\Common Files\Real
2008-11-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno
2008-11-06 23:23 --------- d-----w c:\program files\Winferno
2008-11-06 23:23 --------- d-----w c:\program files\Common Files\Winferno
2008-11-06 22:58 --------- d-----w c:\documents and settings\User\Application Data\bsplayer
2008-11-04 17:53 --------- d-----w c:\program files\Eset
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2007-12-13 18:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-11-27 16:42 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-20 15:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 15:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 15:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 15:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 15:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-19 14:32 56 --sh--r c:\windows\system32\2D490C189A.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Free Offers from Freeze.com ----

2008-11-07 00:23 80 --a------ c:\program files\Free Offers from Freeze.com\3772.url
2008-11-07 00:23 79 --a------ c:\program files\Free Offers from Freeze.com\3766.url
2008-11-07 00:23 78 --a------ c:\program files\Free Offers from Freeze.com\3773.url
2008-11-07 00:23 319 --a------ c:\program files\Free Offers from Freeze.com\control.txt


((((((((((((((((((((((((((((( snapshot@2008-12-20_23.43.06.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 09:53:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-12-04 949376]
"TkBellExe"="c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" [2008-09-20 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip32\WZQKPICK.EXE [2008-12-16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.X264"= x264vfw.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-12-04 15424]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9f201e1-c426-11dc-a4aa-0019dbd0ba74}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2008-04-01 14:10]

2008-12-21 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2008-12-21 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fzy7oxrv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gogle.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-21 12:05:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\imon.dll
.
Completion time: 2008-12-21 12:05:50
ComboFix-quarantined-files.txt 2008-12-21 11:05:48
ComboFix2.txt 2008-12-20 22:43:27

Pre-Run: 6.626.836.480 bytes free
Post-Run: 6,614,949,888 bytes free

253 --- E O F --- 2008-12-20 18:15:04

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Dok to radis, evo jedan savet koji nema veze sa virusima:

c:\program files\AngelPotion Video Codec V1 - ovaj kodek je stariji od 6 godina, bolje nemoj da ga koristis, tj. deinstaliraj ga.

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Uradio sam i ovo, imam jedan USB i mobilni!

USB_blocker by bobby

Started at 21.12.2008 12:39:24

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C: 651e61c3-9f8c-11dc-9db7-806d6172696f
D: 651e61c4-9f8c-11dc-9db7-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 21.12.2008 12:39:35

Scanning for connected USB Mass storage...
========================================
G: 066aa6be-a027-11dc-a470-0019dbd0ba74
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
No key for GUID: 066aa6be-a027-11dc-a470-0019dbd0ba74
========================================


New device connected at 21.12.2008 12:40:39

Scanning for connected USB Mass storage...
========================================
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
========================================

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Oba su cista.
Pretpostavljam da je mobilni prikljucen kao drugi.
Izgleda da si infekcije pokupio sa pozajmljenih USB uredjaja.


Malopre sam propustio nesto, pa bih te zamolio da jos jednom pustimo ComboFix. Registry Power Cleaner je laznjak, pa ga treba obrisati.

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\Tasks\RegPowerClean.job
c:\windows\Tasks\RPCReminder.job

Folder::
c:\program files\Winferno\RegistryPowerCleaner\

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9f201e1-c426-11dc-a4aa-0019dbd0ba74}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

ComboFix 08-12-20.03 - User 2008-12-21 12:54:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1589 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\Tasks\RegPowerClean.job
c:\windows\Tasks\RPCReminder.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Winferno\RegistryPowerCleaner\
c:\program files\Winferno\RegistryPowerCleaner\\CHives.dll
c:\program files\Winferno\RegistryPowerCleaner\\regpowerclean.chm
c:\program files\Winferno\RegistryPowerCleaner\\RegPowerClean.exe
c:\program files\Winferno\RegistryPowerCleaner\\RPCL.DLL
c:\program files\Winferno\RegistryPowerCleaner\\RPCReminder.exe
c:\program files\Winferno\RegistryPowerCleaner\\SysRst.exe
c:\program files\Winferno\RegistryPowerCleaner\\unins000.dat
c:\program files\Winferno\RegistryPowerCleaner\\unins000.exe
c:\program files\Winferno\RegistryPowerCleaner\\WinCMR.dll
c:\windows\Tasks\RegPowerClean.job
c:\windows\Tasks\RPCReminder.job

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 11:02 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-21 11:02 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-21 11:02 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-20 23:28 . 2008-12-20 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier
2008-12-20 22:44 . 2008-12-20 22:44 146 --a------ c:\windows\wininit.ini
2008-12-20 22:27 . 2008-12-21 10:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 22:27 . 2008-12-21 10:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 17:09 . 2008-12-20 17:09 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-20 16:37 . 2008-12-21 11:14 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-20 16:29 . 2008-12-20 16:29 50 --a------ c:\windows\MegaManager.INI
2008-12-20 15:50 . 2008-12-20 16:25 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-16 16:04 . 2008-12-17 22:39 <DIR> d-------- c:\program files\WinZip32
2008-12-14 17:57 . 2008-12-14 17:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-14 17:57 . 2008-12-14 17:57 1,409 --a------ c:\windows\QTFont.for
2008-12-05 21:33 . 2008-12-09 16:49 <DIR> d-------- c:\program files\XviD
2008-12-05 21:22 . 2008-12-05 21:22 <DIR> d-------- c:\windows\system32\QuickTime
2008-12-05 21:22 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2008-12-05 21:22 . 2004-09-23 18:57 747,008 --a------ c:\windows\system32\Indeo4.qtx
2008-12-05 21:22 . 2002-12-20 12:40 675,328 --a------ c:\windows\system32\ir50_32.qtx
2008-12-05 21:22 . 2005-06-10 17:40 360,504 --a------ c:\windows\system32\QTPlugin.ocx
2008-12-05 21:22 . 2004-09-23 18:57 323,072 --a------ c:\windows\system32\QuickTime.cpl
2008-12-05 21:22 . 2002-11-08 20:04 225,280 --a------ c:\windows\system32\qtmlClient.dll
2008-12-05 21:22 . 2004-01-22 19:06 157,696 --a------ c:\windows\system32\unrar.dll
2008-12-05 21:22 . 2004-09-23 18:57 70,144 --a------ c:\windows\system32\QuickTimeCheck.ocx
2008-12-05 21:16 . 2008-12-05 21:16 848 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-05 21:01 . 2008-12-05 21:01 <DIR> d-------- c:\program files\Kodeci
2008-12-02 19:38 . 2008-12-02 19:38 <DIR> d-------- c:\program files\Mail me
2008-11-21 22:47 . 2008-11-21 22:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 22:47 . 2008-11-21 22:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 22:47 . 2008-11-21 22:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 22:46 . 2008-11-21 22:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 22:46 . 2008-11-21 22:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 22:44 . 2008-11-21 22:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 22:44 . 2008-11-21 22:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 11:54 --------- d-----w c:\program files\Winferno
2008-12-20 21:44 --------- d-----w c:\program files\Free Offers from Freeze.com
2008-12-20 15:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 15:51 --------- d-----w c:\documents and settings\User\Application Data\DivX
2008-12-09 15:50 --------- d-----w c:\program files\DivX
2008-12-06 09:08 --------- d-----w c:\program files\Real Alternative
2008-12-05 20:32 --------- d-----w c:\program files\AngelPotion Video Codec V1
2008-12-05 20:22 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-04 20:46 180,224 ----a-w c:\windows\system32\xvidvfw.dll
2008-12-02 18:38 737,280 ----a-w c:\windows\iun6002.exe
2008-11-27 16:41 --------- d-----w c:\program files\Google
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-19 19:23 --------- d-----w c:\program files\VLC player
2008-11-17 12:54 --------- d-----w c:\program files\FLV Player
2008-11-13 15:43 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-11 18:28 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 18:01 --------- d-----w c:\program files\YouTube Downloader
2008-11-07 14:50 --------- d-----w c:\documents and settings\User\Application Data\vlc
2008-11-07 14:49 --------- d-----w c:\program files\VideoLAN
2008-11-06 23:27 --------- d-----w c:\program files\Real
2008-11-06 23:27 --------- d-----w c:\program files\Common Files\Real
2008-11-06 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno
2008-11-06 23:23 --------- d-----w c:\program files\Common Files\Winferno
2008-11-06 22:58 --------- d-----w c:\documents and settings\User\Application Data\bsplayer
2008-11-04 17:53 --------- d-----w c:\program files\Eset
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2007-12-13 18:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-11-27 16:42 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-12-20 15:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 15:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 15:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 15:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 15:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-19 14:32 56 --sh--r c:\windows\system32\2D490C189A.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-20_23.43.06.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-21 11:37:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_444.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-12-04 949376]
"TkBellExe"="c:\program files\K-Lite Codec Pack\Real\Update_OB\realsched.exe" [2008-09-20 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip32\WZQKPICK.EXE [2008-12-16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.X264"= x264vfw.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i263_32.drv
"msacm.l3fhg"= mp3fhg.acm
"msacm.imc"= imc32.acm
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-12-04 15424]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-27 30192]
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe [2008-04-01 14:10]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fzy7oxrv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gogle.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-12-21 12:55:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\imon.dll
.
Completion time: 2008-12-21 12:56:22
ComboFix-quarantined-files.txt 2008-12-21 11:56:20
ComboFix2.txt 2008-12-21 11:05:51
ComboFix3.txt 2008-12-20 22:43:27

Pre-Run: 6.605.258.752 bytes free
Post-Run: 6,576,881,664 bytes free

204 --- E O F --- 2008-12-20 18:15:04

Dopuna: 21 Dec 2008 13:09

Gde se nalazi taj Registry Power Cleaner da ga obrišem.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Upravo smo ga obrisali ComboFixom.

Kazi mi sada ima li jos nekih vidljivih simptoma?
Kako se komp ponasa?
Ja u logovima ne vidim vise nista maliciozno.

Ko je trenutno na forumu
 

Ukupno su 981 korisnika na forumu :: 46 registrovanih, 6 sakrivenih i 929 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Asparagus, babaroga, bojanM84, BORUTUS, BraneS, brundo65, CrazyDiablo, Dannyboy, djboj, doklevise, DonRumataEstorski, doom83, Dorcolac, dragoljub11987, DragoslavS, Georgius, havoc995, ikan, Istman, Ivan Campo, Karla, kunktator, ljuba, ljubacv, LUDI, Marko Marković, mercedesamg, Metanoja, mgolub, mrav pesadinac, Nemanja.M, nemkea71, operniki, Parker, raptorsi, raykan, repac, sasakrajina, savaskytec, slonic_tonic, stalja, Vlad000, voja64, Wrangler, zlaya011