Explorer nestaje i pojavljuje se...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Iskljucio Anti-Hacker... end task-ovao explorer i nisam dozvolio pokretanje neke Browser Helper Object-a... poslao sam fajl!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

files:
C:\Documents and Settings\Athlon\Local Settings\Temp\VZDBGXGIKN.exe

Probaj ovaj script za Catchme, ista procedura kao i malopre.
Malopre nije mogao da nadje fajl.

Sto se tice onoga sto si mi poslao
avrsvc.exe - maliciozan
efcdeby.dll i iifdbyw.dll - maliciozni
tmcomm.sys - legitiman

Za ostale moram da se konsultujem sa drugarima.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

...sad je prijavio gresku!
E taj avrsvc.exe se stalno pojavljuje (a bio ga je pronasao KIS6 i obrisao)...
Inace kazes da je maliciozan... sta onda da radim sa njim!?
Aj kad nesto saznas, sta dalje, ti javi... hvala u svakom slucaju na trudu!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Jel imas MSI graficku i program za overklokovanje te graficke?
Onaj SW24.exe moze biti za tako nesto, pa da proverimo.

Drugo, mozes li uci u folder:
C:\Documents and Settings\Athlon\Local Settings\Temp\

Vidi sta tu ima od fajlova sa ekstenzijom EXE. Trazimo fajl totalno blesavog imena.
Jednom se zvao VZDBGXGIKN.exe, pre toga HJKHEK.exe itd.
Ako nadjes nesto, molim te zapakuj i posalji.


E, sada da uradimo nesto konkretno i po pitanju ciscenja.
Startuj ponovo Catchme i unesi sledeci skript:
files to kill:
C:\WINDOWS\system32\efcdeby.dll
C:\WINDOWS\system32\iifdbyw.dll
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\avrsvc.exe
C:\WINDOWS\msnchk.exe

Klikni Run
Nakon sto odradi posao posalji mi opet Catchme.zip sa desktopa, tu je log koji zelim da pogledam da vidim sta je uspeo da ukloni.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Jeste, imam MSI graficku i to je od nje!

Gledam iz Total Commander-a uz ukljucene Hidden/System files! U tom folderu trenutno skoro da nema nista! Imaju tri foldera: flashgot.s2fl6ryp.default (u njemu flashgot.exe.test) ; hsperfdata_Athlon (396 - bez ekstenzije); plugtmp (prazan), kao i dva fajla: jet2.tmp (0kb) ; spsmvpyn.dll (53.248kb)!

Uradio catchme... i poslao!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Salji na upload taj spsmvpyn.dll, Google nema nikakav info o njemu, tako da mislim da nije bas cist.

Dopuna: 04 Nov 2007 13:47

Kada uradis upload tog DLL-a, restartuj racunar i pokreni ComboFix (imas ga vec) i postavi mi njegov novi log. Takodje mi postavi i novi HijackThis log.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

E pa ne mogu da ga posaljem, sad' je nestao..., a pojavio se novi prazan folder WPDNSE!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Milance, ja sad moram da krenem, bicu tu ponovo veceras.
Veceras ces mi postaviti ComboFix i HijackThis logove, pa cemo videti sta mozemo da uradimo.

Javio se jedan od analiticara iz Avire i rekao mi je da su msnchk.exe i winsys2.exe legitimni.
Winsys2.exe je nesto vezano za nVidia kartice (znaci, ne brisemo), a msnchk.exe je bio od neke alatke koju si probao za ciscenje MSN crva (znaci, nije frka sto smo ga obrisali).

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok, ja cu sad da iskuckam sta je sve bilo... pa ti odgovori kad budes mogao!

Kao prvo posle restarta javila mi se greska:
Explorer.exe - bad image
The application or DLL c:\Windows\System32\HFDBYW.DLL is not a valid Windows image. Please check yhis against your installation diskette!
Nekoliko puta sam morao da pritiskam OK, da bi se na kraju iskljucio!

Posle toga, istu gresku je prijavio kada sam pokrenuo ComboFix (ComboFix.exe - bad image... a ista greska)!

Kada je Combo zavrsio i restartovao se... pojavio mi je istu gresku za LULNCHR.EXE (ali nije za Explorer.exe)!

Evo Combo log-a:

ComboFix 07-11-01.1** - Athlon 2007-11-04 13:55:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.633 [GMT 1:00]
Running from: D:\My Download Files\Programi\Antivirusi\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\vtsqr.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 12:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 11:55 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-03 16:08 36,352 --a------ C:\WINDOWS\system32\efcdeby.dll
2007-11-03 16:07 36,352 --a------ C:\WINDOWS\system32\iifdbyw.dll
2007-11-03 09:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-03 09:42 17,029,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 09:42 173,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-03 00:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-02 23:26 <DIR> d-------- C:\VundoFix Backups
2007-11-02 23:22 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\Media Player Classic
2007-11-02 22:11 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\HouseCall 6.6
2007-11-02 19:38 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 16:49 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-02 16:47 1,032,192 --a--c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-11-02 16:47 1,032,192 --a------ C:\WINDOWS\explorer.exe
2007-11-02 16:38 122,880 --a------ C:\WINDOWS\system32\Sky2PCUI.dll
2007-11-02 16:38 118,784 --a------ C:\WINDOWS\system32\SkyDll.dll
2007-11-02 16:38 102,400 --a------ C:\WINDOWS\system32\libbz2.dll
2007-11-02 03:03 6,470 --ahs---- C:\WINDOWS\system32\vyadd.bak2
2007-11-02 02:52 <DIR> d-------- C:\Program Files\ClamWin
2007-11-02 02:52 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\.clamwin
2007-11-02 02:52 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2007-11-01 14:54 <DIR> d-------- C:\Documents and Settings\Athlon\.housecall6.6
2007-11-01 04:17 10,752 -rahs---- C:\WINDOWS\system32\avrsvc.exe
2007-11-01 01:14 3,377 --a------ C:\WINDOWS\msnchk.exe
2007-10-31 01:46 6,510 --ahs---- C:\WINDOWS\system32\uttss.bak2
2007-10-29 00:30 <DIR> d-------- C:\Pro_Evolution_Soccer_2008-FLT
2007-10-27 09:57 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\Nokia Multimedia Player
2007-10-25 23:39 <DIR> d---s---- C:\Documents and Settings\Athlon\UserData
2007-10-21 23:00 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\IMVU
2007-10-21 22:59 <DIR> d-------- C:\Program Files\IMVU
2007-10-21 01:35 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2007-10-21 01:11 <DIR> d-------- C:\Program Files\TERMINAL Studio
2007-10-21 00:25 <DIR> d-------- C:\Program Files\Oberon Media
2007-10-20 19:29 <DIR> d-------- C:\Program Files\Atlantis
2007-10-19 21:53 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\Apple Computer
2007-10-19 21:48 <DIR> d-------- C:\Program Files\QuickTime
2007-10-19 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 21:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-19 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-15 22:03 11,648 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys
2007-10-12 19:04 <DIR> d-------- C:\Downloads
2007-10-12 18:44 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\FlashGet
2007-10-09 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Test Drive Unlimited
2007-10-05 23:53 <DIR> d-------- C:\Program Files\MySpace
2007-10-05 23:53 <DIR> d-------- C:\Documents and Settings\Athlon\Application Data\MySpace
2007-10-04 00:06 <DIR> d-------- C:\Program Files\Magicbit
2007-10-04 00:00 <DIR> d-------- C:\Program Files\MIKSOFT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 12:59 233,300 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-04 12:59 18,368 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-04 12:42 --------- d-----w C:\Program Files\UpsPilot
2007-11-03 11:50 3,001 --sha-w C:\Documents and Settings\Athlon\ppUser.dat
2007-11-03 00:42 --------- d-----w C:\Documents and Settings\Athlon\Application Data\uTorrent
2007-11-02 22:22 --------- d-----w C:\Program Files\TechniSat DVB
2007-11-02 22:22 --------- d-----w C:\Program Files\DVBViewerTE
2007-11-02 22:22 --------- d-----w C:\Program Files\Common Files\Real
2007-11-02 22:22 --------- d-----w C:\Documents and Settings\Athlon\Application Data\Bioshock
2007-11-02 15:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 15:02 --------- d-----w C:\Program Files\uTorrent
2007-11-02 15:02 --------- d-----w C:\Program Files\Tunebite
2007-11-02 15:02 --------- d-----w C:\Program Files\Tetrix
2007-11-02 15:02 --------- d-----w C:\Program Files\LimeWire
2007-11-02 15:02 --------- d-----w C:\Program Files\FlashFXP
2007-11-02 15:02 --------- d-----w C:\Program Files\Disc2Phone
2007-11-02 15:02 --------- d-----w C:\Program Files\CloneDVD
2007-11-02 15:02 --------- d-----w C:\Program Files\AutoGK
2007-11-02 01:55 --------- d-----w C:\Documents and Settings\Athlon\Application Data\.clamwin
2007-11-01 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 11:54 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-31 11:53 --------- d-----w C:\Program Files\CoolWallpaper
2007-10-21 21:59 --------- d-----w C:\Program Files\FlashGet
2007-10-15 21:03 --------- d-----w C:\Program Files\Sony Ericsson
2007-10-15 13:25 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-10-15 13:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-10-10 15:07 --------- d-----w C:\Program Files\DivX
2007-10-06 21:00 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-10-06 21:00 --------- d-----w C:\Program Files\ACD Systems
2007-10-06 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-09-26 21:23 --------- d-----w C:\Documents and Settings\Athlon\Application Data\Sony
2007-09-23 21:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-20 11:09 --------- d-----w C:\Documents and Settings\Athlon\Application Data\MyPhoneExplorer
2007-09-20 10:49 --------- d-----w C:\Program Files\MyPhoneExplorer
2007-09-20 10:15 --------- d-----w C:\Documents and Settings\Athlon\Application Data\Teleca
2007-09-20 08:26 --------- d-----r C:\Documents and Settings\Athlon\Application Data\SecuROM
2007-09-20 08:09 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 00:56 --------- d-----w C:\Program Files\Java
2007-09-19 23:41 --------- d-----w C:\Documents and Settings\Athlon\Application Data\Sony Ericsson
2007-09-19 23:39 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-09-19 23:39 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-09-19 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-09-19 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-09-18 13:29 --------- d-----w C:\Program Files\Incomplete
2007-09-13 14:29 --------- d-----w C:\Program Files\eMule
2007-09-09 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-08-12 21:59 84,992 ----a-w C:\WINDOWS\system32\vrty.exe
2007-08-02 12:45 1 ----a-w C:\Documents and Settings\Athlon\SI.bin
2007-01-31 17:43 87,608 ----a-w C:\Documents and Settings\Athlon\Application Data\ezpinst.exe
2007-01-31 17:43 47,360 ----a-w C:\Documents and Settings\Athlon\Application Data\pcouffin.sys
2006-12-01 18:36 20,328 ----a-w C:\Documents and Settings\Athlon\Application Data\GDIPFONTCACHEV1.DAT
2006-10-28 08:41:34 56 --sh--r C:\WINDOWS\system32\5160F755D4.sys
2007-08-02 18:25:54 5,642 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-04_12.16.29.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-03 22:56:48 36,864 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-30 18:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2007-11-04 11:12:31 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 12:55:56 62,344 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 11:12:31 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 12:55:56 401,064 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 13:00:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_908.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38C4EEFC-D740-4E10-A883-3BF32E0CD9AB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-03 16:07 36352 --a------ C:\WINDOWS\system32\iifdbyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69E81DA4-7D00-4B90-9C08-974E0045CB74}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6008D0-B2E9-4E69-89A5-411442B7083C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F83A7343-0717-44F8-90C1-F373309BC332}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-15 10:58]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"Winpower"="C:\Program Files\UpsPilot\Winpower.exe" [2007-08-03 14:25]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"P17Helper"="P17.dll" [2005-05-03 19:38 C:\WINDOWS\system32\P17.dll]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Winpower"=C:\Program Files\UpsPilot\Winpower.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-19 19:05:02]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-04 11:53:20]
Server4PC.lnk - C:\Program Files\TechniSat DVB\bin\Server4PC.exe [2007-11-02 16:38:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\iifdbyw.dll [2007-11-03 16:07 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdbyw]
iifdbyw.dll 2007-11-03 16:07 36352 C:\WINDOWS\system32\iifdbyw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsqr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"matlabserver"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"SweetIM"=C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"P17Helper"=Rundll32 P17.dll,P17Helper
"SW24"=C:\WINDOWS\system32\sw24.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinSys2"=C:\WINDOWS\system32\winsys2.exe
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe /autostart
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
"DataLayer"=C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
"nwiz"=nwiz.exe /install
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"SweetIM"=C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 P17;SB Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 SKYNET;TechniSat DVB-PC TV Star PCI;C:\WINDOWS\system32\DRIVERS\SkyNET.SYS
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 Cinemsup;Cinemsup;\??\C:\WINDOWS\system32\drivers\cinemsup.sys
S2 DbgMsg;Debug Message;\??\C:\WINDOWS\System32\Drivers\DbgMsg.sys
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc
S3 HJKHEK;HJKHEK;C:\DOCUME~1\Athlon\LOCALS~1\Temp\HJKHEK.exe
S3 MosIrUsb;MosIrUsb.sys;C:\WINDOWS\system32\DRIVERS\MosIrUsb.sys
S3 RTCore;RTCore;\??\D:\My Download Files\Programi\RightMark Memory Analyzer 3.45\RTCore.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 VZDBGXGIKN;VZDBGXGIKN;C:\DOCUME~1\Athlon\LOCALS~1\Temp\VZDBGXGIKN.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecc860c3-32d5-11dc-bf5e-001109d57c1f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-11-04 14:00:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 14:02:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-04 12:17
.
--- E O F ---


...i hijack log-a:

Logfile of HijackThis v1.99.1
Scan saved at 2:03:01 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\UpsPilot\Winpower.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\TechniSat DVB\bin\Server4PC.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\UpsPilot\wpRMI.exe
C:\Program Files\UpsPilot\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
D:\HijackThis\TY1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/MSI/Live%20Update%203/MSI.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {38C4EEFC-D740-4E10-A883-3BF32E0CD9AB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\iifdbyw.dll
O2 - BHO: (no name) - {69E81DA4-7D00-4B90-9C08-974E0045CB74} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7A6008D0-B2E9-4E69-89A5-411442B7083C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {F83A7343-0717-44F8-90C1-F373309BC332} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Server4PC.lnk = C:\Program Files\TechniSat DVB\bin\Server4PC.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: msi.com.tw
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: iifdbyw - C:\WINDOWS\SYSTEM32\iifdbyw.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: HJKHEK - Unknown owner - C:\DOCUME~1\Athlon\LOCALS~1\Temp\HJKHEK.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Winpowermanager - Macrovision - C:\PROGRA~1\UpsPilot\manager.exe
O23 - Service: Winpowermonitor - Macrovision - C:\PROGRA~1\UpsPilot\monitor.exe
O23 - Service: WinpowerRMI - Macrovision - C:\PROGRA~1\UpsPilot\wpRMI.exe

Dopuna: 04 Nov 2007 17:48

Videh da sam pogresno prepisao poruku, pa samo da ispravim... treba "c:\Windows\System32\IIFDBYW.DLL" (znaci 2 "i" umesto "h")!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hajde da probamo ovako - skeniraj ponovo HijackThisom i stikliraj polja ispred sledecih linija:

O2 - BHO: (no name) - {38C4EEFC-D740-4E10-A883-3BF32E0CD9AB} - (no file)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\iifdbyw.dll
O2 - BHO: (no name) - {69E81DA4-7D00-4B90-9C08-974E0045CB74} - (no file)
O2 - BHO: (no name) - {7A6008D0-B2E9-4E69-89A5-411442B7083C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F83A7343-0717-44F8-90C1-F373309BC332} - (no file)
O20 - Winlogon Notify: iifdbyw - C:\WINDOWS\SYSTEM32\iifdbyw.dll
O23 - Service: HJKHEK - Unknown owner - C:\DOCUME~1\Athlon\LOCALS~1\Temp\HJKHEK.exe (file missing)

Klikni Fix Checked

Ukoliko te bilo koji program koji stiti registry bazu pita da li zelis da sozvolis promene - dozvoli ih.
Nakon toga restartuj komp, pa napravi novi HijackThis log koji ces mi ovde postaviti.