AdobeR i Spoo1V kako ukloniti

1

AdobeR i Spoo1V kako ukloniti

offline
  • Pridružio: 05 Avg 2007
  • Poruke: 42
  • Gde živiš: Beograd

Postovani interesujeme kakvo je stanje kod mene i sta bi trebo da ukonim
Gresku mi pravi neki spoo1v.exe
I kako da se riejsim AdobeR.exe

Logfile of HijackThis v1.99.1
Scan saved at 22:06, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\spoo1v.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\AdobeR.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVR\TVR.exe
C:\Program Files\TVR\video.ex_
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\MG WeB StudiO\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{53351561-D9D2-46F6-AF84-14AA955E7FAC}: NameServer = 80.65.69.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - C:\WINDOWS\SYSTEM32\spoo1v.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pozdrav,

U pitanju je infekcija koja se prenosi USB stickovima (MP3 playeri, USB flash itd.)

Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (drzi stisnut Shift dok ubacujes stickove da bi se izbegao Autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.


Nakon toga napravi nov log uz pomoc programa HijackThis, i postavi ga ovde.

offline
  • Pridružio: 05 Avg 2007
  • Poruke: 42
  • Gde živiš: Beograd

Logfile of HijackThis v1.99.1
Scan saved at 13:20, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\system\Updaterun.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\Program Files\TVR\TVR.exe
C:\Program Files\TVR\video.ex_
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\MG WeB StudiO\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{53351561-D9D2-46F6-AF84-14AA955E7FAC}: NameServer = 80.65.69.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Windows Management Prints System (spoo1v) - Unknown owner - C:\WINDOWS\SYSTEM32\spoo1v.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

OK, resili smo se Flash infekcije, ali ima jos puno toga da se uradi.

Zamolio bih te da spremis u jedan ZIP sledece fajlove:
C:\WINDOWS\system32\obcts.dll
C:\Program Files\Common Files\CPUSH\cpush1.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
C:\Program Files\Common Files\system\Updaterun.exe
C:\WINDOWS\SYSTEM32\spoo1v.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe

Fajlove nam posalji na proveru preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 05 Avg 2007
  • Poruke: 42
  • Gde živiš: Beograd

fajlovi.zip

je uplodan - izvinjavam se na sporom odgovorgu
malo sam zauzet a i malo mi interenet steka
tako da se inzvinjavam na sporim odgovorima

hvala sto mi pomazete da ocistim svoj PC

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvori Control Panel > Administrative Tools > Services i u desnoj koloni nadji servis pod imenom Windows Management Prints System.
Klikni na njega desnim dugmetom misa i odaberi opciju Stop.
Klikni opet na njega desnim dugmetom misa i odaberi Properties.
U dijalogu koji se bude otvorio postavi Startup type na Disabled.
Nakon toga pronadji i obrisi fajl C:\WINDOWS\SYSTEM32\spoo1v.exe

Skeniraj ponovo HijackThisom i stikliraj polja ispred sledecih linija:
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush1.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O4 - HKLM\..\Run: [System] C:\Program Files\Common Files\system\Updaterun.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
Klikni na Fix Checked

Nadji na disku i obrisi sledece fajlove:
C:\WINDOWS\system32\obcts.dll
C:\Program Files\Common Files\CPUSH\cpush1.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
C:\Program Files\Common Files\system\Updaterun.exe
C:\WINDOWS\SYSTEM32\spoo1v.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE

Nakon toga restartuj kompjuter i napravi novi log uz pomoc programa HijackThis i postavi ga ovde.

Zamolio bih te da mi preko one forme za upload uploadujes jos i sledeci fajl na proveru:
C:\WINDOWS\system32\SysTdSvr.dll

offline
  • Pridružio: 05 Avg 2007
  • Poruke: 42
  • Gde živiš: Beograd

Logfile of HijackThis v1.99.1
Scan saved at 21:17, on 17/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MG WeB StudiO\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: sosHlpr Class - {00C104F7-0F5C-470C-ABCF-A5B2E70752F1} - C:\WINDOWS\system32\obcts.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe

to je novi scan - ali nisma mogo da obrisem one fajlove u system32
kako da ih obrisem

Dopuna: 17 Sep 2007 21:19

fajl je upoldan pod istim imenom

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Daj mi sledeci fajl na upload:
C:\WINDOWS\system32\SysTdSvr.dll
Kada i njega pregledam, onda cu da ti napisem uputstvo za brisanje onoga sto nije moglo rucno da se obrise.

Jesi li sigurno stiklirao i ovu liniju kada si prosli put uradio Fix u HijackThisu:
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
?

Dopuna: 17 Sep 2007 21:30

Skini ComboFix:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira jer ume da se zaglavi ukoliko ga "uznemiravas".

Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati.

offline
  • Pridružio: 05 Avg 2007
  • Poruke: 42
  • Gde živiš: Beograd

ComboFix 07-09-18.4 - "MG WeB StudiO" 2007-09-18 16:37:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.713 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\microsoft\pctools\pctools.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\microsoft\pctools\pctools.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1003.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1003.dat
C:\DOCUME~1\ALLUSE~1\TEMPLA~1.\temp.exe
C:\DOCUME~1\MGWEBS~1\FAVORI~1\7BFA~1.URL
C:\DOCUME~1\MGWEBS~1\LOCALS~1\APPLIC~1\baidu
C:\Program Files\baidu
C:\Program Files\baidu\bar\BaiduBar.cab
C:\Program Files\baidu\bar\baidubar_versionex.txt
C:\Program Files\Common Files\cpush
C:\Program Files\Common Files\cpush\cpush.dll
C:\Program Files\Common Files\cpush\Uninst.exe
C:\Program Files\Common Files\system\updaterun.exe
C:\Program Files\OCINS
C:\Program Files\OCINS\uninstall.exe
C:\WINDOWS\f2.exe
C:\WINDOWS\g3.exe
C:\WINDOWS\KB611311.log
C:\WINDOWS\system\dvl
C:\WINDOWS\system\lvl
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\ckqwo.dll
C:\WINDOWS\system32\cwebpage.dll
C:\WINDOWS\system32\dpniqo46.dll
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\dpniqo46.sys
C:\WINDOWS\system32\drivers\idgen.sys
C:\WINDOWS\system32\drivers\kgtse.sys
C:\WINDOWS\system32\drivers\msqmx.sys
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\rundllforour.exe
C:\WINDOWS\system32\score.txt
C:\WINDOWS\system32\SysTdSvr.dll
C:\WINDOWS\system32\vtgxu.dll
C:\WINDOWS\system32\wbem\dwhir.dll
C:\WINDOWS\system32\wbem\gdjqi.dll
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\wbem\qhest.dll
C:\WINDOWS\system32\wbem\wpcmt.dll
C:\WINDOWS\temp\~my1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ACPIDISK
-------\LEGACY_CNPROV
-------\LEGACY_DPNIQO46
-------\LEGACY_IDGEN
-------\LEGACY_IPRIP
-------\LEGACY_KGTSE
-------\LEGACY_MSQMX
-------\acpidisk
-------\dpniqo46
-------\idgen
-------\Iprip
-------\kgtse
-------\msqmx


((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-16 08:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-15 13:20 <DIR> drahs---- C:\autorun.inf
2007-09-14 09:18 86,016 --a------ C:\WINDOWS\system32\obcts.dll
2007-09-07 21:10 20,541 --a------ C:\WINDOWS\system32\detoured.dll
2007-09-07 08:10 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-09-07 08:10 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-09-07 08:10 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-09-07 08:10 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-09-06 22:26 178,999 --a------ C:\DOCUME~1\MGWEBS~1\dodolook020.exe
2007-09-03 06:42 <DIR> d-------- C:\WINDOWS\system32\RG
2007-09-03 06:41 403,113 --a------ C:\DOCUME~1\MGWEBS~1\todd.exe
2007-09-03 06:41 224,216 --a------ C:\WINDOWS\system32\RGShell.dll
2007-09-03 06:41 224,216 --a------ C:\DOCUME~1\MGWEBS~1\RGShell.dll
2007-09-03 06:41 188,416 --a------ C:\DOCUME~1\MGWEBS~1\spool.exe
2007-09-02 07:30 20,480 --a------ C:\DOCUME~1\MGWEBS~1\bind_50104.exe
2007-08-27 14:38 <DIR> d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Leadertech
2007-08-24 11:43 3,688 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-22 12:32 <DIR> d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Cogniview
2007-08-22 12:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cogniview
2007-08-20 23:15 <DIR> d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Ahead
2007-08-20 22:54 <DIR> d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Media Player Classic
2007-08-20 22:50 <DIR> d-------- C:\Program Files\XP Codec Pack
2007-08-19 22:29 396,488 --a------ C:\DOCUME~1\MGWEBS~1\bdd.exe
2007-08-19 21:49 1,776 --a------ C:\WINDOWS\system32\cdnprh.dll
2007-08-19 09:59 8 --a------ C:\WINDOWS\ocinfo.dat
2007-08-19 07:49 214,397 --a------ C:\DOCUME~1\MGWEBS~1\sd.exe
2007-08-19 07:49 <DIR> d-------- C:\Program Files\Common Files\Error Report
2007-08-18 07:01 173,316 --a------ C:\WINDOWS\system32\drivers\mxdispdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 07:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-12 14:02 --------- d-------- C:\Program Files\MSN Messenger
2007-08-08 16:58 --------- d-------- C:\Program Files\Kora
2007-08-08 16:55 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-08 16:55 249856 --a------ C:\WINDOWS\Setup1.exe
2007-08-07 19:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Hagel Technologies
2007-08-04 16:48 --------- d-------- C:\Program Files\AdVantage
2007-08-04 16:44 --------- d-------- C:\Program Files\Winamp
2007-08-04 16:42 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\BSplayer
2007-08-04 16:41 --------- d-------- C:\Program Files\Webteh
2007-08-04 16:41 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\BSplayer Pro
2007-08-04 16:03 --------- d-------- C:\Program Files\Ahead
2007-08-04 16:01 --------- d-------- C:\Program Files\Common Files\Nero
2007-08-04 16:00 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-04 16:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-08-02 21:33 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-31 23:13 --------- d-------- C:\Program Files\NoAdware5.0
2007-07-30 16:00 --------- d-------- C:\Program Files\Picasa2
2007-07-30 14:38 --------- d-------- C:\Program Files\Google
2007-07-26 14:19 --------- d-------- C:\Program Files\AutoCAD 2007
2007-07-26 14:19 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Autodesk
2007-07-26 14:18 --------- d-------- C:\Program Files\Common Files\Autodesk Shared
2007-07-26 14:17 --------- d-------- C:\Program Files\AnswerWorks 4.0
2007-07-26 14:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-07-26 14:14 --------- d-------- C:\Program Files\Autodesk
2007-07-25 18:35 --------- d-------- C:\Program Files\Microsoft IntelliPoint 5.5
2007-07-23 21:09 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-23 21:09 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-23 07:59 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Corel
2007-07-23 07:58 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-23 07:55 --------- d-------- C:\Program Files\Corel
2007-07-23 07:55 --------- d-------- C:\Program Files\Common Files\Corel
2007-07-23 07:46 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\AdobeUM
2007-07-22 21:58 --------- d-------- C:\Program Files\totalcmd
2007-07-22 20:05 --------- d-------- C:\Program Files\MSBuild
2007-07-22 20:05 --------- d-------- C:\Program Files\Microsoft Works
2007-07-22 16:23 --------- d-------- C:\Program Files\TVR
2007-07-22 16:23 --------- d-------- C:\Program Files\Teletext
2007-07-22 16:15 --------- d-------- C:\DOCUME~1\MGWEBS~1\APPLIC~1\Talkback
2007-07-22 16:00 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-22 16:00 --------- d-------- C:\Program Files\AIRPLUS
2007-07-22 15:19 --------- d-------- C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2002-11-13 09:34 C:\WINDOWS\system32\sstray.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"WinDVRCtrl"="C:\WINDOWS\WDVRCtrl.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-16 01:15]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2006-11-27 15:18]
"SmCtrlDrv"="D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu" []
"Sysmppcv"="C:\WINDOWS\system32\Rundll32.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 15:43:54]
D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk - C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE [2007-07-22 16:00:21]

C:\DOCUME~1\MGWEBS~1\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]
C:\WINDOWS\AdobeR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecSche]
"C:\Program Files\TVR\RecSche.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanRegistry]
C:\W

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StillImageMonitor]
C:\W

R0 1i28ouf;1i28ou;C:\WINDOWS\system32\DRIVERS\1i28ouf.sys
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys
R2 lxse5dhxvs;lxse5dhxvs;\??\C:\WINDOWS\system32\drivers\lxse5dhxvs.sys
R2 MSMQ;Message Queuing;C:\WINDOWS\system32\mqsvc.exe
R2 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\system32\mqtgsvc.exe
R2 mxdispdr;mxdispdr;\??\C:\WINDOWS\system32\drivers\mxdispdr.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 LVCap138;TV Card Capture Driver;C:\WINDOWS\system32\DRIVERS\tvcap.sys
R3 lvtuner;Mercury TV Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\tvtuner.sys
R3 MQAC;Message Queuing access control;\??\C:\WINDOWS\system32\drivers\mqac.sys
R3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\system32\drivers\RMCast.sys
R3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;C:\WINDOWS\system32\Drivers\tiacxusb.sys
S0 iokilps;iokilp;C:\WINDOWS\system32\DRIVERS\iokilps.sys
S0 ipdname;ipdnam;C:\WINDOWS\system32\DRIVERS\ipdname.sys
S0 pcibc;pcib;C:\WINDOWS\system32\DRIVERS\pcibc.sys
S2 AtHome;Clipboard;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 WIDETS;Performance Moniter;C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE C:\WINDOWS\SYSTEM32\WBEM\QHEST.DLL,DllRegisterServer 1087
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 TIAcxubt;D-Link WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\tiacxubt.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-09-18 16:41:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\combofix]
"ImagePath"="C:\WINDOWS\system32\cmd.exe /c start /i /dC:\ComboFix\ C:\WINDOWS\system32\cmd.exe /c Sys.bat /\c@"
.
Completion time: 2007-09-18 16:42:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-18 16:41
.
--- E O F ---

to je log od ComboFix

a onaj fajl sam bio uplodovo kao dll ali nakon restarta od strene combofix vise ga nema u system32

prvi put sam strihiro sve linije u Hijack TISHU

Dopuna: 18 Sep 2007 16:47

O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu

a ovu liniju sam nekoliko puta pokuso da uklonim ali nece
uradi sve i ponovo skeniram i opet ima dok su se ostale uklonile

Dopuna: 18 Sep 2007 16:48

Logfile of HijackThis v1.99.1
Scan saved at 16:51, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MG WeB StudiO\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmCtrlDrv] D;]XJOEPXT]tztufn43]Svoemm43/fyf!D;]XJOEPXT]tztufn43]deoqsi/emm!Tubsu
O4 - HKLM\..\Run: [Sysmppcv] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\SysTdSvr.dll",Start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{53351561-D9D2-46F6-AF84-14AA955E7FAC}: NameServer = 80.65.69.69
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: Performance Moniter (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFOROUR.EXE (file missing)

to je novi scan

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Mozes li da mi posaljes na proveru i sledece fajlove:

C:\DOCUME~1\MGWEBS~1\dodolook020.exe
C:\DOCUME~1\MGWEBS~1\todd.exe
C:\WINDOWS\system32\RGShell.dll
C:\DOCUME~1\MGWEBS~1\RGShell.dll
C:\DOCUME~1\MGWEBS~1\spool.exe
C:\DOCUME~1\MGWEBS~1\bind_50104.exe
C:\DOCUME~1\MGWEBS~1\bdd.exe
C:\WINDOWS\system32\cdnprh.dll
C:\DOCUME~1\MGWEBS~1\sd.exe
C:\WINDOWS\system32\drivers\mxdispdr.sys


C:\DOCUME~1\MGWEBS~1 = C:\Documents and Settings\MG WeB StudiO\

btw. imas li instaliran Microsoft Personal Web Server?

Ko je trenutno na forumu
 

Ukupno su 1125 korisnika na forumu :: 41 registrovanih, 9 sakrivenih i 1075 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: airsuba, ajo baba, Andrija357, ArchaBasha, Asparagus, babaroga, BraneS, BSD, bufanje, cifra, Darko8, dmdr, draganca, GenZee, gorican, HogarStrashni, HrcAk47, Ivica1102, Krusarac, Krvava Devetka, Kubovac, LUDI, mikrimaus, mile23, milenko crazy north, milimoj, milos.cbr, moldway, nemkea71, oldtimer, opt1, Panter, panzerwaffe, Parker, pein, stalja, vathra, Velizar, Webb, YugoSlav, Zi0mek