MyCity » Ambulanta -> Arhiva Ambulante » worm/autorun.pex

worm/autorun.pex

Napisano na dan: 22.1.2009
1

worm/autorun.pex
Sledeća strana Pagination

Idi na vrh

Poslao: 22 Jan 2009 19:16
Idi na vrh
offline
  • Pridružio: 08 Dec 2005
  • Poruke: 60
  • Gde živiš: bgd

19:13 22.1.2009Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:39, on 22.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows7\Analog Clock\AnalogClock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\GUARDGUI.EXE
C:\Documents and Settings\Pavel\Desktop\test\tr3.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [Link mogu videti samo ulogovani korisnici]*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Pie Dock] "C:\Program Files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GroupManager] C:\Documents and Settings\Pavel\My Documents\groupmanager.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [AnalogClock] C:\Program Files\Windows7\Analog Clock\AnalogClock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - [Link mogu videti samo ulogovani korisnici]\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - [Link mogu videti samo ulogovani korisnici]\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - [Link mogu videti samo ulogovani korisnici]\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - [Link mogu videti samo ulogovani korisnici]\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Iz&vezi u Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [Link mogu videti samo ulogovani korisnici]
O17 - HKLM\System\CCS\Services\Tcpip\..\{192140F7-009F-464A-96ED-A390FBC89746}: NameServer = 62.240.12.1 62.240.12.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10027 bytes



Poslao: 22 Jan 2009 19:29
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8630
  • Gde živiš: Novi Beograd

Zdravo,

Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.

---------------------


Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.
- Zatim skinuti program sa ovog linka na Desktop.
- Pokrenuti ga dvoklikom i ispratiti uputstva.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.

---------------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.



Poslao: 22 Jan 2009 20:01
Idi na vrh
offline
  • Pridružio: 08 Dec 2005
  • Poruke: 60
  • Gde živiš: bgd

ComboFix 09-01-21.04 - Pavel 2009-01-22 19:51:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.3583.3154 [GMT 1:00]
Running from: c:\documents and settings\Pavel\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pavel\My Documents\notepad.exe
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 18:18 . 2009-01-22 19:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-22 18:18 . 2009-01-22 18:18 <DIR> d-------- c:\documents and settings\Pavel\Application Data\PC Tools
2009-01-22 18:18 . 2009-01-22 18:29 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-22 18:18 . 2009-01-22 18:29 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-22 18:18 . 2009-01-22 18:28 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-22 18:18 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-22 15:11 . 2009-01-22 15:11 2,093 --a------ C:\phone22.exe
2009-01-22 14:45 . 2009-01-22 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-22 14:45 . 2009-01-22 15:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-22 14:33 . 2009-01-22 14:33 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-22 14:33 . 2009-01-22 14:33 1,409 --a------ c:\windows\QTFont.for
2009-01-22 14:18 . 2009-01-22 14:19 <DIR> d-------- c:\program files\AutorunRemover
2009-01-20 13:08 . 2009-01-20 14:46 177,844 --a------ C:\Validate.exe
2009-01-17 15:14 . 2009-01-17 15:59 33,835 --a------ C:\s22.exe
2009-01-14 19:30 . 2009-01-16 12:20 33,835 --a------ C:\sexy.exe
2009-01-14 19:28 . 2009-01-22 19:51 <DIR> dr-hs---- C:\RESTORE
2009-01-14 19:28 . 2009-01-14 19:28 30,208 --a------ C:\x0rx.exe
2009-01-13 23:26 . 2009-01-14 16:12 33,835 --a------ C:\dial2.exe
2009-01-11 17:51 . 2009-01-13 16:30 33,792 --a------ C:\dial.exe
2008-12-23 20:07 . 2008-12-23 20:07 1,962 --a------ c:\windows\ST5UNST.004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 18:53 --------- d-----w c:\documents and settings\Pavel\Application Data\Orbit
2009-01-22 18:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-22 14:54 --------- d-----w c:\program files\GIGABYTE
2009-01-22 10:17 --------- d-----w c:\program files\Google
2009-01-22 10:17 --------- d-----w c:\program files\Desktop Maestro
2009-01-09 12:58 --------- d-----w c:\program files\QBeez 2
2008-12-24 19:05 --------- d-----w c:\program files\Beetle Bug 2
2008-12-15 00:44 --------- d-----w c:\documents and settings\Pavel\Application Data\Skype
2008-12-14 23:04 --------- d-----w c:\documents and settings\Pavel\Application Data\skypePM
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-29 05:21 --------- d-----w c:\documents and settings\Pavel\Application Data\Desktop Maestro
2008-11-22 19:00 --------- d-----w c:\program files\FDRLab
2008-09-12 11:26 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-24 17:12 13,622 ----a-w c:\documents and settings\Pavel\STARTUP.reg
2008-09-11 15:43 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-03-20 19:36 578560 f92d8964b5286de225bd2b6bf89764be c:\windows\system32\user32.dll

2008-04-28 10:24 547328 a55b8899d2ea2e800061bcfd456e34dc c:\windows\system32\winlogon.exe

2008-08-18 19:17 1616384 4a90f51b778fa0157f60d206e8b37d2a c:\windows\explorer.exe

2008-04-28 10:22 25088 b5e8782d4af1b3756f38e11e7c157bbe c:\windows\system32\ctfmon.exe

2008-03-20 19:36 989696 9a8d604748d9fe73b66021e5782a4a3c c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnalogClock"="c:\program files\Windows7\Analog Clock\AnalogClock.exe" [2005-11-05 480256]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-28 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pie Dock"="c:\program files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe" [2007-09-02 586240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-12 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"GroupManager"="c:\documents and settings\Pavel\My Documents\groupmanager.exe" [2009-01-18 21504]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-28 25088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-09-12 1674432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pavel^Start Menu^Programs^Startup^Windows Seven Dock.lnk]
path=c:\documents and settings\Pavel\Start Menu\Programs\Startup\Windows Seven Dock.lnk
backup=c:\windows\pss\Windows Seven Dock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-08-22 18:26 1234160 c:\program files\CCleaner\CCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO SafeSurf]
--a------ 2008-09-12 07:02 278264 c:\program files\COMODO\SafeSurf\cssurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-28 10:22 25088 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KRun]
--a------ 2007-04-06 15:15 518656 c:\program files\Windows7\RunMe\RunMe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-10-31 00:03 284184 c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-11-15 20:58 746520 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 21:01 244512 c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 12:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 12:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-12 09:08 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 07:58 495616 c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TransBar]
--a------ 2005-06-01 16:41 65536 c:\program files\Windows7\TransBar\TransBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Visual Task Tips]
--a------ 2007-09-05 18:20 36352 c:\program files\Windows7\VisualTaskTips\VisualTaskTips.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r---c--- 2005-05-03 11:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 12:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r---c--- 2007-01-30 11:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r---c--- 2006-05-16 11:04 2879488 c:\windows\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R4 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2009-01-22 164097]
R4 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [2009-01-22 258305]
R4 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2009-01-22 41217]
S3 cnxt1803;Compaq 10_100 MiniPCI Ethernet NIC Driver;c:\windows\system32\drivers\cnxt1803.sys [2008-09-11 39936]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-22 356920]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-OnlineArmor GUI - c:\program files\Tall Emu\Online Armor\oaui.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearchMigratedDefaultURL = [Link mogu videti samo ulogovani korisnici]{searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
TCP: {192140F7-009F-464A-96ED-A390FBC89746} = 62.240.12.1 62.240.12.2
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-01-22 19:55:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(788-)
c:\windows\system32\setupapi.dll
c:\windows\system32\avsda.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir PersonalEdition Premium\sched.exe
c:\windows\system32\rundll32.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Avira\AntiVir PersonalEdition Premium\avguard.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-22 19:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 18:58:25

Pre-Run: 104.896.679.936 bytes free
Post-Run: 104,833,626,112 bytes free

224 --- E O F --- 2009-01-14 23:23:11

Poslao: 22 Jan 2009 22:01
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8630
  • Gde živiš: Novi Beograd

Ponovo iskljuci Antivirus i SpyBot.

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\s22.exe
C:\sexy.exe
C:\x0rx.exe
C:\dial2.exe
C:\dial.exe
C:\phone22.exe

DirLook::
C:\RESTORE


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 22 Jan 2009 23:44
Idi na vrh
offline
  • Pridružio: 08 Dec 2005
  • Poruke: 60
  • Gde živiš: bgd

ComboFix 09-01-21.04 - Pavel 2009-01-22 23:37:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.3583.3118 [GMT 1:00]
Running from: c:\documents and settings\Pavel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pavel\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\dial.exe
C:\dial2.exe
C:\phone22.exe
C:\s22.exe
C:\sexy.exe
C:\x0rx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dial.exe
C:\dial2.exe
C:\install.exe
C:\phone22.exe
C:\s22.exe
C:\sexy.exe
C:\x0rx.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 20:19 . 2009-01-22 23:30 <DIR> d-------- c:\program files\iCall
2009-01-22 18:18 . 2009-01-22 19:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-22 18:18 . 2009-01-22 18:18 <DIR> d-------- c:\documents and settings\Pavel\Application Data\PC Tools
2009-01-22 18:18 . 2009-01-22 18:29 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-22 18:18 . 2009-01-22 18:29 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-22 18:18 . 2009-01-22 18:28 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-22 18:18 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-22 14:45 . 2009-01-22 15:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-22 14:45 . 2009-01-22 15:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-22 14:33 . 2009-01-22 14:33 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-22 14:33 . 2009-01-22 14:33 1,409 --a------ c:\windows\QTFont.for
2009-01-22 14:18 . 2009-01-22 14:19 <DIR> d-------- c:\program files\AutorunRemover
2009-01-20 13:08 . 2009-01-20 14:46 177,844 --a------ C:\Validate.exe
2009-01-14 19:28 . 2009-01-22 19:51 <DIR> dr-hs---- C:\RESTORE
2008-12-23 20:07 . 2008-12-23 20:07 1,962 --a------ c:\windows\ST5UNST.004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-22 19:58 --------- d-----w c:\documents and settings\Pavel\Application Data\Orbit
2009-01-22 19:53 --------- d-----w c:\documents and settings\Pavel\Application Data\Skype
2009-01-22 19:10 --------- d-----w c:\documents and settings\Pavel\Application Data\skypePM
2009-01-22 18:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-22 14:54 --------- d-----w c:\program files\GIGABYTE
2009-01-22 10:17 --------- d-----w c:\program files\Google
2009-01-22 10:17 --------- d-----w c:\program files\Desktop Maestro
2009-01-09 12:58 --------- d-----w c:\program files\QBeez 2
2008-12-24 19:05 --------- d-----w c:\program files\Beetle Bug 2
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-29 05:21 --------- d-----w c:\documents and settings\Pavel\Application Data\Desktop Maestro
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-12 11:26 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-08-24 17:12 13,622 ----a-w c:\documents and settings\Pavel\STARTUP.reg
2008-09-11 15:43 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
2008-09-11 15:43 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\RESTORE ----



------- Sigcheck -------

2008-03-20 19:36 578560 f92d8964b5286de225bd2b6bf89764be c:\windows\system32\user32.dll

2008-04-28 10:24 547328 a55b8899d2ea2e800061bcfd456e34dc c:\windows\system32\winlogon.exe

2008-08-18 19:17 1616384 4a90f51b778fa0157f60d206e8b37d2a c:\windows\explorer.exe

2008-04-28 10:22 25088 b5e8782d4af1b3756f38e11e7c157bbe c:\windows\system32\ctfmon.exe

2008-03-20 19:36 989696 9a8d604748d9fe73b66021e5782a4a3c c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 00:19:32 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf0e9\atl90.dll
+ 2007-11-06 19:23:58 224,768 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2007-11-07 00:19:34 568,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 00:19:34 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 00:19:38 1,156,600 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90.dll
+ 2007-11-07 00:19:38 1,162,744 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90u.dll
+ 2007-11-06 21:51:08 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll
+ 2007-11-06 21:51:08 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll
+ 2007-11-07 00:19:16 41,472 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll
+ 2007-11-07 00:19:16 41,984 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll
+ 2007-11-07 00:19:28 60,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll
+ 2007-11-07 00:19:22 54,272 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll
+ 2007-11-07 00:19:22 59,392 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll
+ 2007-11-07 00:19:22 59,392 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll
+ 2007-11-07 00:19:28 60,416 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll
+ 2007-11-07 00:19:28 59,392 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll
+ 2007-11-07 00:19:16 47,104 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll
+ 2007-11-07 00:19:16 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll
+ 2007-11-07 00:19:22 54,272 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnalogClock"="c:\program files\Windows7\Analog Clock\AnalogClock.exe" [2005-11-05 480256]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-28 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pie Dock"="c:\program files\Windows7\Windows 7 Pie Dock\Windows 7 Pie Dock.exe" [2007-09-02 586240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-12 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"GroupManager"="c:\documents and settings\Pavel\My Documents\groupmanager.exe" [2009-01-18 21504]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-28 25088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-09-12 1674432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pavel^Start Menu^Programs^Startup^Windows Seven Dock.lnk]
path=c:\documents and settings\Pavel\Start Menu\Programs\Startup\Windows Seven Dock.lnk
backup=c:\windows\pss\Windows Seven Dock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-08-22 18:26 1234160 c:\program files\CCleaner\CCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO SafeSurf]
--a------ 2008-09-12 07:02 278264 c:\program files\COMODO\SafeSurf\cssurf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-28 10:22 25088 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KRun]
--a------ 2007-04-06 15:15 518656 c:\program files\Windows7\RunMe\RunMe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2006-10-31 00:03 284184 c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-11-15 20:58 746520 c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 21:01 244512 c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 12:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 12:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-12 09:08 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 07:58 495616 c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-06 17:37 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TransBar]
--a------ 2005-06-01 16:41 65536 c:\program files\Windows7\TransBar\TransBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Visual Task Tips]
--a------ 2007-09-05 18:20 36352 c:\program files\Windows7\VisualTaskTips\VisualTaskTips.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r---c--- 2005-05-03 11:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 12:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r---c--- 2007-01-30 11:54 16116224 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r---c--- 2006-05-16 11:04 2879488 c:\windows\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
R4 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2009-01-22 164097]
R4 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [2009-01-22 258305]
R4 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2009-01-22 41217]
S3 cnxt1803;Compaq 10_100 MiniPCI Ethernet NIC Driver;c:\windows\system32\drivers\cnxt1803.sys [2008-09-11 39936]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-22 356920]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
uSearchMigratedDefaultURL = [Link mogu videti samo ulogovani korisnici]{searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = [Link mogu videti samo ulogovani korisnici]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici]*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: avsda.dll
TCP: {192140F7-009F-464A-96ED-A390FBC89746} = 62.240.12.1 62.240.12.2
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2009-01-22 23:38:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728-)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\setupapi.dll
c:\windows\system32\avsda.dll
.
Completion time: 2009-01-22 23:39:33
ComboFix-quarantined-files.txt 2009-01-22 22:39:26
ComboFix2.txt 2009-01-22 18:58:29

Pre-Run: 104.794.763.264 bytes free
Post-Run: 104,785,838,080 bytes free

240 --- E O F --- 2009-01-14 23:23:11

Poslao: 23 Jan 2009 16:35
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8630
  • Gde živiš: Novi Beograd

Uploaduj mi sledeci fajl:

C:\Validate.exe

preko ovog linka:

[Link mogu videti samo ulogovani korisnici]

Poslao: 24 Jan 2009 19:49
Idi na vrh
offline
  • Pridružio: 08 Dec 2005
  • Poruke: 60
  • Gde živiš: bgd

racunar se sredio,a sada nisam u mogucnosti da ga uploadujem...

Poslao: 24 Jan 2009 20:03
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8630
  • Gde živiš: Novi Beograd

bgdbgd ::racunar se sredio,a sada nisam u mogucnosti da ga uploadujem...

Kako to mislis sredio?

Poslao: 24 Jan 2009 22:24
Idi na vrh
offline
  • Pridružio: 08 Dec 2005
  • Poruke: 60
  • Gde živiš: bgd

pa normalno radi... a komp nije u bgd ne mogu da ucinim danas nista...pokusacu sa drugarom...da mu objasnim,ali...

Poslao: 24 Jan 2009 22:29
Idi na vrh
offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8630
  • Gde živiš: Novi Beograd

Dobro, ako ne moze da uradi upload, onda neka makar obrise sledeci folder:

C:\RESTORE

i neka ide na Start->Run i neka kuca combofix /u pa OK (da bi deinstalirao ComboFix), ukoliko vec ne moze da uradi upload.

MyCity » Ambulanta -> Arhiva Ambulante » worm/autorun.pex

Ko je trenutno na forumu
 

Ukupno su 2234 korisnika na forumu :: 145 registrovanih, 9 sakrivenih i 2080 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 6018 - dana 19 Dec 2025 13:41

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: -Max-, 015, 252., 357magnum, A.R.Chafee.Jr., Agape, aleksmajstor, Andrija357, AOE, Avalon015, bavar357, Baždaranac, Ben Roj, Betta, Bickoooo, bojan581, Boris BM, borya90, bufanje, BWG, Centauro, CioRio, Colt D, comi, crazydkure, crnitrn, DalmatinacMF, Dambi, Darko8, dekiz, Demi87, Der Rote Baron, Dexlex, djboj, Djokislav, Djuza, dnr, dok80, DonRumataEstorski, doragan, draganl, drimer, Drugard72, dule10savic, dunavzed, Dvogled, Džekson, eighty-one, Emanuel Arsenijevič, Feller, FileFinder, filiphr, Fliper, Glavni Oružni, goflja76, goxin, halkin gol, Igritelj, ISOF, Istman, ivanjovanovic02, ivica976, jaeger, Jaxupa, jeen yuhs, joca83, Jovan1983, Jozo74, Kajzer Soze, Karaula, kikisp, Klass, Komentator, Kredit, Krvava Devetka, kybonacci, Lieutenant, Lucije Kvint, Luke Pathfinder, M74AB3, MaCS, Marko Marković, marko.markovic, MarkoD, mercedesamg, Mercury, metallac777, Mi lao shu, MIKI63, milanpb, Milos ZA, milos97, Mirage 2000N, misaru, mm1811, momcilob55, Mrav Obrad, Myamoto Musashi, Naj-Turs, nebojsag, Nmr, Novakomp, orfanel, peradetlić, Perudin_92, ping15, PlayerOne, Povratak1912, powSrb, precan, prikolica, Primus17, pzoca, raso76, raster12, razumihin, Remain, Remarqe, Resad76, Rocky I, ruso, Samo gledam, sap, Saratoga, Savantije, sekretar, Semberija, Sevatar, Sir Budimir, Smajser, Srki98, Srle993, strn, synergia, Tajpan, The_new_Statesman, Tila Painen, vaci, Valter071, VanZan, Velizar, voja64, vojnik švejk, zombicar153, ČOBAN