Šta je ovo tnuwq32vpmmr.exe.exe.exe.exe.exe

Dobro veče svima
Unaprijed se izvinjavam ako sam pogriješio sekciju

Naime u kompjuteru sam našao ovo
tnuwq32vpmmr.exe.exe.exe.exe.exe bilo je na particiji c odmah pored Documents and Settings, Program files i Windows
Obrisao sam ga standardno desni klik pa delete ali prilikom skeniranja sa Hijack pronašao sam i ovo
F2 - REG:system.ini:UserInt=C:/WINDOWS/system32/userint.exe,C/WIDOWS/sorry.exe,

Može li neko da mi pomogne
Hvala

Obrati paznju kako se otvara tema u ambulanti:
http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

Ja se izvinjavam nije namjerno

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:39, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Memturbo 4\MemTurbo.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Microsoft - {B3B32131-5331-1267-9353-002031030200} - C:\WINDOWS\search_promo.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Program Files\Memturbo 4\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{25C65EA4-5DEC-467C-9414-7FC17653EF49}: NameServer = 195.66.160.1,195.66.160.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5984 bytes

Pozdrav...


Upload-uj sledeći file: C:\WINDOWS\search_promo.dll

Upload link: http://www.mycity.rs/ambulanta-upload.php

Ukoliko file nije vidljiv, aktiviraj prikaz skrivenih file-ova:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html

Evo ga
Hvala na pomoći

Klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Evo nadam se da sam dobro odradio

ComboFix 08-12-18.03 - JIB 2008-12-20 11:39:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1023.571 [GMT 1:00]
Running from: c:\documents and settings\JIB\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JIB\Application Data\.#
c:\documents and settings\JIB\Application Data\inst.exe
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
c:\windows\system32\wfwindowp32.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 11:30 . 2008-12-20 11:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Grisoft
2008-12-20 11:21 . 2006-09-05 17:03 3,968 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-20 00:19 . 2008-12-20 00:19 69,632 --a------ c:\windows\search_promo.dll
2008-12-17 23:15 . 2008-12-17 23:15 <DIR> d-------- c:\documents and settings\JIB\Application Data\Uniblue
2008-12-17 02:04 . 2008-12-17 01:22 5,977 --a------ c:\windows\sorry.exe
2008-12-16 13:39 . 2008-12-16 13:39 <DIR> d-------- c:\program files\EA GAMES
2008-12-14 19:56 . 2008-12-14 19:56 <DIR> d-------- c:\documents and settings\JIB\Application Data\Thinstall
2008-12-12 10:11 . 2008-12-12 10:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\windows\system32\embedded
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\program files\Memturbo 4
2008-12-06 17:54 . 2008-12-06 17:54 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-12-06 00:17 . 2008-12-06 00:17 <DIR> d-------- c:\program files\Eidos
2008-12-04 16:47 . 2008-12-20 11:04 31,324 --a------ c:\windows\system32\nvapps.xml
2008-12-04 16:09 . 2008-12-04 16:57 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-04 16:06 . 2008-12-04 17:09 <DIR> d-------- c:\windows\nview
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-04 16:06 . 2005-07-20 14:07 14,757 --a------ c:\windows\system32\nvdisp.nvu
2008-12-04 15:43 . 2008-12-04 15:43 <DIR> d-------- c:\program files\Xicat
2008-12-03 11:54 . 2008-12-03 11:54 <DIR> d-------- c:\documents and settings\JIB\Application Data\DAEMON Tools
2008-12-01 01:09 . 2008-12-01 01:12 <DIR> d-------- c:\documents and settings\JIB\Application Data\BID
2008-12-01 00:07 . 2008-12-01 10:45 21,840 --a----t- c:\windows\system32\SIntfNT.dll
2008-12-01 00:07 . 2008-12-01 10:45 17,212 --a----t- c:\windows\system32\SIntf32.dll
2008-12-01 00:07 . 2008-12-01 10:45 12,067 --a----t- c:\windows\system32\SIntf16.dll
2008-11-30 23:32 . 2008-12-13 18:49 <DIR> d-------- c:\documents and settings\JIB\Application Data\IObit
2008-11-29 13:23 . 2008-11-29 13:26 <DIR> d-------- c:\program files\Webteh
2008-11-28 11:09 . 2008-11-30 23:43 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 02:27 --------- d-----w c:\documents and settings\JIB\Application Data\Lavasoft
2008-12-19 23:30 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-19 08:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-19 07:58 --------- d-----w c:\program files\Di recnik
2008-12-17 22:44 --------- d-----w c:\program files\GRETECH
2008-12-16 12:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 01:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 01:50 --------- d-----w c:\program files\Wise Registry Cleaner
2008-12-13 17:52 --------- d-----w c:\program files\IObit
2008-12-13 17:44 --------- d-----w c:\documents and settings\JIB\Application Data\DNA
2008-12-11 20:50 --------- d-----w c:\program files\MemTurbo30
2008-12-06 09:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 22:43 --------- d-----w c:\documents and settings\JIB\Application Data\Vso
2008-11-25 22:02 --------- d-----w c:\documents and settings\JIB\Application Data\Skype
2008-11-16 13:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 23:46 --------- d-----w c:\program files\SuperBlank
2008-10-31 01:02 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2008-10-31 01:02 --------- d-----w c:\program files\Alcohol Soft
2008-10-31 00:06 --------- d-----w c:\program files\NCH Software
2008-10-20 15:51 --------- d-----w c:\documents and settings\JIB\Application Data\NCH Software
2008-10-20 15:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-10-12 13:16 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-09 18:48 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-07 13:44 47,360 ----a-w c:\documents and settings\JIB\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"nwiz"="nwiz.exe" [2005-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\JIB\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\Memturbo 4\MemTurbo.exe [2008-12-11 2314752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Disk MD Registration Reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 111184]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"c:\program files\a-squared Anti-Dialer\a2service.exe" [2008-07-13 380536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl []
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e10387b2-b0f6-11dd-9bf5-0015f29cd874}]
\Shell\AutoRun\command - nideiect.com
\Shell\explore\Command - nideiect.com
\Shell\open\Command - nideiect.com

*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
.
------- Supplementary Scan -------
.
mWindow Title =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {25C65EA4-5DEC-467C-9414-7FC17653EF49} = 195.66.160.1,195.66.160.2
FF - ProfilePath - c:\documents and settings\JIB\Application Data\Mozilla\Firefox\Profiles\q9xumreg.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 11:41:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-12-20 11:42:03
ComboFix-quarantined-files.txt 2008-12-20 10:42:01

Pre-Run: 26.534.375.424 bytes free
Post-Run: 26,536,546,304 bytes free

178



Evo sad kad otvorim start pa u run ukucam msconfig on mi izbaci sledeću poruku
Šta je ovo ?

O tome kasnije, kad završimo sa uklanjenjem malware-a.




Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\search_promo.dll
c:\windows\sorry.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e10387b2-b0f6-11dd-9bf5-0015f29cd874}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

ComboFix 08-12-18.03 - JIB 2008-12-20 13:11:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1023.505 [GMT 1:00]
Running from: c:\documents and settings\JIB\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JIB\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\search_promo.dll
c:\windows\sorry.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\search_promo.dll
c:\windows\sorry.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 11:30 . 2008-12-20 11:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Grisoft
2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-17 23:15 . 2008-12-17 23:15 <DIR> d-------- c:\documents and settings\JIB\Application Data\Uniblue
2008-12-16 13:39 . 2008-12-16 13:39 <DIR> d-------- c:\program files\EA GAMES
2008-12-14 19:56 . 2008-12-14 19:56 <DIR> d-------- c:\documents and settings\JIB\Application Data\Thinstall
2008-12-12 10:11 . 2008-12-12 10:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\windows\system32\embedded
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\program files\Memturbo 4
2008-12-06 17:54 . 2008-12-06 17:54 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-12-06 00:17 . 2008-12-06 00:17 <DIR> d-------- c:\program files\Eidos
2008-12-04 16:47 . 2008-12-20 11:04 31,324 --a------ c:\windows\system32\nvapps.xml
2008-12-04 16:09 . 2008-12-04 16:57 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-04 16:06 . 2008-12-04 17:09 <DIR> d-------- c:\windows\nview
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-04 16:06 . 2005-07-20 14:07 14,757 --a------ c:\windows\system32\nvdisp.nvu
2008-12-04 15:43 . 2008-12-04 15:43 <DIR> d-------- c:\program files\Xicat
2008-12-03 11:54 . 2008-12-03 11:54 <DIR> d-------- c:\documents and settings\JIB\Application Data\DAEMON Tools
2008-12-01 01:09 . 2008-12-01 01:12 <DIR> d-------- c:\documents and settings\JIB\Application Data\BID
2008-12-01 00:07 . 2008-12-01 10:45 21,840 --a----t- c:\windows\system32\SIntfNT.dll
2008-12-01 00:07 . 2008-12-01 10:45 17,212 --a----t- c:\windows\system32\SIntf32.dll
2008-12-01 00:07 . 2008-12-01 10:45 12,067 --a----t- c:\windows\system32\SIntf16.dll
2008-11-30 23:32 . 2008-12-13 18:49 <DIR> d-------- c:\documents and settings\JIB\Application Data\IObit
2008-11-29 13:23 . 2008-11-29 13:26 <DIR> d-------- c:\program files\Webteh
2008-11-28 11:09 . 2008-11-30 23:43 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 02:27 --------- d-----w c:\documents and settings\JIB\Application Data\Lavasoft
2008-12-19 23:30 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-19 08:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-19 07:58 --------- d-----w c:\program files\Di recnik
2008-12-17 22:44 --------- d-----w c:\program files\GRETECH
2008-12-16 12:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 01:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 01:50 --------- d-----w c:\program files\Wise Registry Cleaner
2008-12-13 17:52 --------- d-----w c:\program files\IObit
2008-12-13 17:44 --------- d-----w c:\documents and settings\JIB\Application Data\DNA
2008-12-11 20:50 --------- d-----w c:\program files\MemTurbo30
2008-12-06 09:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 22:43 --------- d-----w c:\documents and settings\JIB\Application Data\Vso
2008-11-25 22:02 --------- d-----w c:\documents and settings\JIB\Application Data\Skype
2008-11-16 13:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 23:46 --------- d-----w c:\program files\SuperBlank
2008-10-31 01:02 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2008-10-31 01:02 --------- d-----w c:\program files\Alcohol Soft
2008-10-31 00:06 --------- d-----w c:\program files\NCH Software
2008-10-20 15:51 --------- d-----w c:\documents and settings\JIB\Application Data\NCH Software
2008-10-20 15:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-10-12 13:16 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-09 18:48 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-07 13:44 47,360 ----a-w c:\documents and settings\JIB\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"nwiz"="nwiz.exe" [2005-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\JIB\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\Memturbo 4\MemTurbo.exe [2008-12-11 2314752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 111184]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"c:\program files\a-squared Anti-Dialer\a2service.exe" [2008-07-13 380536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl []
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
.
------- Supplementary Scan -------
.
mWindow Title =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {25C65EA4-5DEC-467C-9414-7FC17653EF49} = 195.66.160.1,195.66.160.2
FF - ProfilePath - c:\documents and settings\JIB\Application Data\Mozilla\Firefox\Profiles\q9xumreg.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 13:13:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-12-20 13:13:55
ComboFix-quarantined-files.txt 2008-12-20 12:13:53
ComboFix2.txt 2008-12-20 10:42:05

Pre-Run: 26.255.888.384 bytes free
Post-Run: 26,244,653,056 bytes free

162
Hvala još jednom !



Jesam li dobro ovo uradio
nadam se da nisam nešto pogriješio

Dobro je odrađeno...


Ovo sada izgleda ok. Što se tiče msconfig-a...


File treba da bude u ovom folderu: C:\WINDOWS\pchealth\helpctr\binaries


Proveri da li je tamo i da li ga je moguće pokrenuti dvoklikom.