Hijack this javlja error

1

Hijack this javlja error

offline
  • Pridružio: 17 Apr 2006
  • Poruke: 215
  • Gde živiš: Novi Sad

Napisano: 24 Jun 2009 23:35

Hijack this prijavljuje greshku:
Error details:
modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.5512
HijackThis version: 2.0.2

Rachunar mi je prepun problema (u startu mi se otvara MYdocuments folder odmah nakon podizanja sistema....... a vec duze vreme na rachunaru nemam niti jedan vid zashtite) pa mi je nekako logichno da se otarasim virusa pre nego instaliram neki firewall i amtivirus program.
Vec sa HJT imam problem pa sad ne znam shta da radim.
Molim pomoc.

Dopuna: 24 Jun 2009 23:38

HJT je ipak izbacio nekakav log i on ovako izgleda:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:34 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\File Seeker\FSeekerDBUpdater.exe
C:\windows\system32\explorĺr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Slavica\Application Data\explorer.exe
C:\Documents and Settings\Slavica\Local Settings\Application Data\lsass.exe
C:\Documents and Settings\Slavica\Application Data\explorer.exe
C:\Documents and Settings\Slavica\Local Settings\Application Data\lsass.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\ZASHTITA RACHUNARA\autostoper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [FileSeekerUpdater] "C:\Program Files\File Seeker\FSeekerDBUpdater.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LanTalk.NET] C:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [rundll32] c:\windows\system32\explorar.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: windows.pif = ?
O4 - Global Startup: Empty.pif = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebpro......0.1.1.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://www.ebank.lhb.rs/DLL/FSINT.dll
O16 - DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} (NetSeTManager Class) - https://secure.deltabanka.rs/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.deltabanka.rs/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} (Archive Class) - https://www.ebank.ppbank.com/DLL/SAWZip.dll
O16 - DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} (Ebanking.Utility) - https://www.ebank.ppbank.com/DLL/EbankingWWW.dll
O16 - DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} (SecAPI Class) - https://www.ebank.ppbank.com/DLL/EBCSCC2B.dll
O16 - DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} (SecAPI Class) - https://www.ebank.ppbank.com/DLL/EBCCDC2.dll
O20 - Winlogon Notify: netstraf - C:\WINDOWS\system32\netstraf.dll (file missing)
O20 - Winlogon Notify: wmvmgr - wmvmgr32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 7610 bytes

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Zdravo,

izvini, ali gluplju logiku nisam cuo.

Instaliraj Antivirus, skeniraj, neka pocisti sta moze, pa cemo nastaviti.

Inace, pun si malwera.

offline
  • Pridružio: 17 Apr 2006
  • Poruke: 215
  • Gde živiš: Novi Sad

Napisano: 25 Jun 2009 0:08

Eto imam ja svoje momente izliva gluposti al to se desava kada chovek ima polovichno znanje i odredjene predrasude o nekoj materiji (tako recimo mala deca koja nemaju nikakva saznanja chesto uoche srz problema i reshenje koje odraslima nikada ne bi palo na pamet)

Daklem instaliracu antivirus-skenirati pa se javljam a u medjuvremenu idem da se stidim i sramotim.

Hvala na brzom javljanju !

Dopuna: 26 Jun 2009 22:29

Novi HJTlog nakon chishcenja Simantec antivirusom:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:52 PM, on 6/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\File Seeker\FSeekerDBUpdater.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\ZASHTITA RACHUNARA\autostoper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [FileSeekerUpdater] "C:\Program Files\File Seeker\FSeekerDBUpdater.exe" -start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LanTalk.NET] C:\Program Files\CEZEO software\LanTalk NET\LanTalk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec AntiVirus\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebpro......0.1.1.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://www.ebank.lhb.rs/DLL/FSINT.dll
O16 - DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} (NetSeTManager Class) - https://secure.deltabanka.rs/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.deltabanka.rs/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} (Archive Class) - https://www.ebank.ppbank.com/DLL/SAWZip.dll
O16 - DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} (Ebanking.Utility) - https://www.ebank.ppbank.com/DLL/EbankingWWW.dll
O16 - DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} (SecAPI Class) - https://www.ebank.ppbank.com/DLL/EBCSCC2B.dll
O16 - DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} (SecAPI Class) - https://www.ebank.ppbank.com/DLL/EBCCDC2.dll
O20 - Winlogon Notify: netstraf - C:\WINDOWS\system32\netstraf.dll (file missing)
O20 - Winlogon Notify: wmvmgr - wmvmgr32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe

--
End of file - 8603 bytes

Ne sumljam da ima jos mnogo shta da se ocisti pa molim za pomoc!

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

E, sad mozemo da krenemo:

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 17 Apr 2006
  • Poruke: 215
  • Gde živiš: Novi Sad

ComboFix 09-06-26.02 - Slavica 06/26/2009 22:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.230 [GMT 2:00]
Running from: c:\documents and settings\Slavica\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Slavica\Application Data\FunWebProducts
c:\documents and settings\Slavica\Local Settings\Application Data\lsass.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0002EE6D
c:\program files\MyWebSearch\bar\Cache\001D862A
c:\program files\MyWebSearch\bar\Cache\00298F29
c:\program files\MyWebSearch\bar\Cache\0039E71E
c:\program files\MyWebSearch\bar\Cache\0039F69F.bin
c:\program files\MyWebSearch\bar\Cache\0039FC1D.bin
c:\program files\MyWebSearch\bar\Cache\003A06CC.bin
c:\program files\MyWebSearch\bar\Cache\003A0B02.bin
c:\program files\MyWebSearch\bar\Cache\00C5E541.bin
c:\program files\MyWebSearch\bar\Cache\00C5E800.bin
c:\program files\MyWebSearch\bar\Cache\00C5EB4C
c:\program files\MyWebSearch\bar\Cache\01DDB72A.bin
c:\program files\MyWebSearch\bar\Cache\02B0D00F.bin
c:\program files\MyWebSearch\bar\Cache\02B0D88B.bin
c:\program files\MyWebSearch\bar\Cache\02B0DE86.bin
c:\program files\MyWebSearch\bar\Cache\02B0E5BA.bin
c:\program files\MyWebSearch\bar\Cache\02B0E992.bin
c:\program files\MyWebSearch\bar\Cache\0354978C
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-24 22:47 . 2009-06-24 22:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-06-24 22:28 . 2009-06-24 22:28 -------- d-----w- c:\documents and settings\Slavica\Local Settings\Application Data\Symantec
2009-06-24 22:26 . 2005-09-16 22:20 87768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-24 22:26 . 2005-09-16 22:20 108168 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-24 22:26 . 2009-06-24 22:27 -------- d-----w- c:\program files\Symantec
2009-06-24 22:26 . 2009-06-26 20:46 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-24 22:26 . 2009-06-24 22:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-24 22:26 . 2009-06-24 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-21 09:15 . 2006-04-24 09:30 59392 ----a-r- c:\documents and settings\Slavica\Application Data\explorer.exe
2009-06-15 11:27 . 2009-06-15 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-06-15 11:04 . 2009-06-15 11:27 -------- d-----w- c:\documents and settings\Slavica\Application Data\Ashtons. Family Resort
2009-06-15 11:04 . 2009-06-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-06-15 11:01 . 2009-06-15 11:01 -------- d-----w- c:\program files\Games
2009-06-15 11:00 . 2009-06-15 11:00 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-06-15 11:00 . 2009-06-15 11:00 -------- d-----w- c:\windows\Farm Frenzy Pizza Party
2009-06-15 10:58 . 2009-06-15 10:59 -------- d-----w- c:\program files\Ashtons Family Resort
2009-06-15 10:58 . 2009-06-15 10:58 -------- d-----w- c:\windows\Ashtons Family Resort
2009-06-10 06:21 . 2009-06-10 06:21 152576 ----a-w- c:\documents and settings\Slavica\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 20:08 . 2008-06-28 08:15 -------- d-----w- c:\program files\Common Files\Akamai
2009-06-26 08:33 . 2007-09-20 09:05 -------- d-----w- c:\program files\File Seeker
2009-06-24 20:54 . 2006-05-03 21:39 27 ----a-w- c:\windows\popcinfo.dat
2009-06-24 07:46 . 2006-05-03 20:12 -------- d-----w- c:\documents and settings\Slavica\Application Data\AdobeUM
2009-06-23 08:17 . 2008-11-17 11:55 -------- d-----w- c:\documents and settings\Slavica\Application Data\Playrix Entertainment
2009-06-15 14:59 . 2007-12-10 13:50 -------- d-----w- c:\documents and settings\Slavica\Application Data\BitTorrent
2009-06-15 11:05 . 2007-12-09 09:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-10 06:22 . 2007-12-08 18:10 -------- d-----w- c:\program files\Java
2009-05-21 09:33 . 2009-04-14 16:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 14:06 . 2006-08-17 07:47 -------- d-----w- c:\program files\Optimik
2009-04-14 16:31 . 2009-04-14 16:31 152576 ----a-w- c:\documents and settings\Slavica\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-12-09 10:07 . 2007-12-27 22:27 241664 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"LanTalk.NET"="c:\program files\CEZEO software\LanTalk NET\LanTalk.exe" [2008-12-21 330920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\Symantec AntiVirus\VPTray.exe" [2005-11-15 85744]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Slavica\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-1 256000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Slavica^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\Slavica\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Slavica^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Slavica\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"helpsvc"=2 (0x2)
"TrkWks"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CEZEO software\\LanTalk NET\\LanTalk.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\explorĺr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"1055:TCP"= 1055:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1079:TCP"= 1079:TCP:Akamai NetSession Interface
"1197:TCP"= 1197:TCP:Akamai NetSession Interface
"1205:TCP"= 1205:TCP:Akamai NetSession Interface
"1214:TCP"= 1214:TCP:Akamai NetSession Interface
"1243:TCP"= 1243:TCP:Akamai NetSession Interface
"1253:TCP"= 1253:TCP:Akamai NetSession Interface
"1047:TCP"= 1047:TCP:Akamai NetSession Interface
"1221:TCP"= 1221:TCP:Akamai NetSession Interface
"1639:TCP"= 1639:TCP:Akamai NetSession Interface
"1050:TCP"= 1050:TCP:Akamai NetSession Interface
"1062:TCP"= 1062:TCP:Akamai NetSession Interface
"1095:TCP"= 1095:TCP:Akamai NetSession Interface
"1113:TCP"= 1113:TCP:Akamai NetSession Interface
"1054:TCP"= 1054:TCP:Akamai NetSession Interface
"1706:TCP"= 1706:TCP:Akamai NetSession Interface
"1092:TCP"= 1092:TCP:Akamai NetSession Interface
"1053:TCP"= 1053:TCP:Akamai NetSession Interface
"1088:TCP"= 1088:TCP:Akamai NetSession Interface
"1825:TCP"= 1825:TCP:Akamai NetSession Interface
"1068:TCP"= 1068:TCP:Akamai NetSession Interface
"1094:TCP"= 1094:TCP:Akamai NetSession Interface
"1162:TCP"= 1162:TCP:Akamai NetSession Interface
"1517:TCP"= 1517:TCP:Akamai NetSession Interface
"1336:TCP"= 1336:TCP:Akamai NetSession Interface
"1354:TCP"= 1354:TCP:Akamai NetSession Interface
"1193:TCP"= 1193:TCP:Akamai NetSession Interface
"1228:TCP"= 1228:TCP:Akamai NetSession Interface
"1258:TCP"= 1258:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1133:TCP"= 1133:TCP:Akamai NetSession Interface
"1139:TCP"= 1139:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface

R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 2:00 PM 14336]
R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 10:55 AM 52800]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [1/19/2009 11:03 PM 1519168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2009 12:43 AM 101936]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-netstraf - c:\windows\system32\netstraf.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
Trusted Zone: deltabanka.rs\online
Trusted Zone: lhb.rs\www.ebank
Trusted Zone: ppbank.com\www.ebank
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://www.ebank.lhb.rs/DLL/FSINT.dll
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.deltabanka.rs/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.deltabanka.rs/RetailDLL/SGCMSCCD.DLL
DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} - hxxps://www.ebank.ppbank.com/DLL/SAWZip.dll
DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} - hxxps://www.ebank.ppbank.com/DLL/EbankingWWW.dll
DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} - hxxps://www.ebank.ppbank.com/DLL/EBCSCC2B.dll
DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} - hxxps://www.ebank.ppbank.com/DLL/EBCCDC2.dll
FF - ProfilePath - c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pimpmysearch.com/home.html?gname=Stolica
FF - component: c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.travian.org http://www.travian.at http://welt1.travian.de http://welt2.travian.de http://welt3.travian.de http://welt4.travian.de http://welt5.travian.de http://welt6.travian.de http://welt7.travian.de http://welt8.travian.de http://welt9.travian.de http://welt10.travian.de http://speed.travian.de rs1.travian.com
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 22:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-26 23:00
ComboFix-quarantined-files.txt 2009-06-26 21:00

Pre-Run: 20,749,803,520 bytes free
Post-Run: 20,767,195,136 bytes free

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\WINDOWS\system32\explorĺr.exe
c:\documents and settings\Slavica\Application Data\explorer.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\explorĺr.exe"=-

DDS::
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNfox000



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 17 Apr 2006
  • Poruke: 215
  • Gde živiš: Novi Sad

Napisano: 27 Jun 2009 23:15

ComboFix 09-06-26.02 - Slavica 06/27/2009 22:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.511.160 [GMT 2:00]
Running from: c:\documents and settings\Slavica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Slavica\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Slavica\Application Data\explorer.exe"
"c:\windows\system32\explorĺr.exe"
.

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-26 22:34 . 2009-06-26 22:08 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 22:07 . 2009-06-26 22:07 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-26 22:07 . 2009-06-26 22:07 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-26 22:07 . 2009-06-26 22:07 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-26 22:07 . 2009-06-26 22:07 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-26 22:07 . 2009-06-26 22:07 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-26 22:02 . 2009-06-26 22:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-26 22:02 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-26 22:02 . 2009-06-26 22:02 -------- d-----w- c:\program files\Lavasoft
2009-06-26 22:02 . 2009-06-26 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-26 20:59 . 2009-06-26 20:59 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-24 22:47 . 2009-06-24 22:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-06-24 22:28 . 2009-06-24 22:28 -------- d-----w- c:\documents and settings\Slavica\Local Settings\Application Data\Symantec
2009-06-24 22:26 . 2005-09-16 22:20 87768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-24 22:26 . 2005-09-16 22:20 108168 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-24 22:26 . 2009-06-24 22:27 -------- d-----w- c:\program files\Symantec
2009-06-24 22:26 . 2009-06-27 20:56 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-24 22:26 . 2009-06-24 22:43 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-24 22:26 . 2009-06-24 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-15 11:27 . 2009-06-15 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy-PizzaParty
2009-06-15 11:04 . 2009-06-15 11:27 -------- d-----w- c:\documents and settings\Slavica\Application Data\Ashtons. Family Resort
2009-06-15 11:04 . 2009-06-15 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Ashtons. Family Resort
2009-06-15 11:01 . 2009-06-15 11:01 -------- d-----w- c:\program files\Games
2009-06-15 11:00 . 2009-06-15 11:00 -------- d-----w- c:\program files\Farm Frenzy Pizza Party
2009-06-15 11:00 . 2009-06-15 11:00 -------- d-----w- c:\windows\Farm Frenzy Pizza Party
2009-06-15 10:58 . 2009-06-15 10:59 -------- d-----w- c:\program files\Ashtons Family Resort
2009-06-15 10:58 . 2009-06-15 10:58 -------- d-----w- c:\windows\Ashtons Family Resort
2009-06-10 06:21 . 2009-06-10 06:21 152576 ----a-w- c:\documents and settings\Slavica\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 20:49 . 2008-06-28 08:15 -------- d-----w- c:\program files\Common Files\Akamai
2009-06-27 10:17 . 2006-05-03 21:39 27 ----a-w- c:\windows\popcinfo.dat
2009-06-27 08:35 . 2007-09-20 09:05 -------- d-----w- c:\program files\File Seeker
2009-06-24 07:46 . 2006-05-03 20:12 -------- d-----w- c:\documents and settings\Slavica\Application Data\AdobeUM
2009-06-23 08:17 . 2008-11-17 11:55 -------- d-----w- c:\documents and settings\Slavica\Application Data\Playrix Entertainment
2009-06-15 14:59 . 2007-12-10 13:50 -------- d-----w- c:\documents and settings\Slavica\Application Data\BitTorrent
2009-06-15 11:05 . 2007-12-09 09:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-10 06:22 . 2007-12-08 18:10 -------- d-----w- c:\program files\Java
2009-05-21 09:33 . 2009-04-14 16:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 14:06 . 2006-08-17 07:47 -------- d-----w- c:\program files\Optimik
2009-04-14 16:31 . 2009-04-14 16:31 152576 ----a-w- c:\documents and settings\Slavica\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-12-09 10:07 . 2007-12-27 22:27 241664 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-26_20.57.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 06:05 . 2008-07-29 06:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2009-06-27 20:48 . 2009-06-27 20:48 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2009-06-26 22:08 . 2009-06-26 22:08 64160 c:\windows\system32\DRVSTORE\lbd_4C6E0193F967021F4DECA024CA3950BECD8BF864\Lbd.sys
+ 2009-06-26 22:08 . 2009-06-26 22:08 64160 c:\windows\system32\drivers\Lbd.sys
+ 2009-06-26 20:59 . 2008-04-14 04:42 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-26 20:59 . 2008-04-14 04:42 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-26 20:59 . 2008-04-14 04:42 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-26 20:59 . 2008-04-13 23:09 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-26 20:59 . 2008-04-13 23:23 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-26 20:59 . 2008-04-14 04:42 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2008-07-29 06:05 . 2008-07-29 06:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 01:54 . 2008-07-29 01:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 01:54 . 2008-07-29 01:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-06-26 20:59 . 2005-05-26 02:16 124184 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 666112 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-26 20:59 . 2008-04-14 04:42 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-26 20:59 . 2008-04-14 04:42 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-26 20:59 . 2008-04-13 23:50 361344 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-26 20:59 . 2008-04-14 04:42 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-26 20:59 . 2008-04-13 23:50 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-26 20:59 . 2008-04-14 04:41 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-26 20:59 . 2008-04-14 04:41 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-26 20:59 . 2008-04-14 04:41 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2009-06-26 20:59 . 2008-04-14 04:42 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-26 20:59 . 2008-04-13 23:57 2188928 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-26 20:59 . 2008-04-13 23:01 2065792 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-26 20:59 . 2008-04-14 04:42 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2005-10-31 503808]
"FileSeekerUpdater"="c:\program files\File Seeker\FSeekerDBUpdater.exe" [2007-01-12 603648]
"LanTalk.NET"="c:\program files\CEZEO software\LanTalk NET\LanTalk.exe" [2008-12-21 330920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\Symantec AntiVirus\VPTray.exe" [2005-11-15 85744]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-26 518488]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Slavica\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-11-1 256000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Slavica^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\Slavica\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Slavica^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Slavica\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"PolicyAgent"=2 (0x2)
"helpsvc"=2 (0x2)
"TrkWks"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CEZEO software\\LanTalk NET\\LanTalk.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\explorĺr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"1055:TCP"= 1055:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1079:TCP"= 1079:TCP:Akamai NetSession Interface
"1197:TCP"= 1197:TCP:Akamai NetSession Interface
"1205:TCP"= 1205:TCP:Akamai NetSession Interface
"1214:TCP"= 1214:TCP:Akamai NetSession Interface
"1243:TCP"= 1243:TCP:Akamai NetSession Interface
"1253:TCP"= 1253:TCP:Akamai NetSession Interface
"1047:TCP"= 1047:TCP:Akamai NetSession Interface
"1221:TCP"= 1221:TCP:Akamai NetSession Interface
"1639:TCP"= 1639:TCP:Akamai NetSession Interface
"1050:TCP"= 1050:TCP:Akamai NetSession Interface
"1062:TCP"= 1062:TCP:Akamai NetSession Interface
"1095:TCP"= 1095:TCP:Akamai NetSession Interface
"1113:TCP"= 1113:TCP:Akamai NetSession Interface
"1054:TCP"= 1054:TCP:Akamai NetSession Interface
"1706:TCP"= 1706:TCP:Akamai NetSession Interface
"1092:TCP"= 1092:TCP:Akamai NetSession Interface
"1053:TCP"= 1053:TCP:Akamai NetSession Interface
"1088:TCP"= 1088:TCP:Akamai NetSession Interface
"1825:TCP"= 1825:TCP:Akamai NetSession Interface
"1068:TCP"= 1068:TCP:Akamai NetSession Interface
"1094:TCP"= 1094:TCP:Akamai NetSession Interface
"1162:TCP"= 1162:TCP:Akamai NetSession Interface
"1517:TCP"= 1517:TCP:Akamai NetSession Interface
"1336:TCP"= 1336:TCP:Akamai NetSession Interface
"1354:TCP"= 1354:TCP:Akamai NetSession Interface
"1193:TCP"= 1193:TCP:Akamai NetSession Interface
"1228:TCP"= 1228:TCP:Akamai NetSession Interface
"1258:TCP"= 1258:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1133:TCP"= 1133:TCP:Akamai NetSession Interface
"1139:TCP"= 1139:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/27/2009 12:08 AM 64160]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 2:00 PM 14336]
R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [9/25/1998 10:55 AM 52800]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [1/19/2009 11:03 PM 1519168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/25/2009 12:43 AM 101936]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 9:06 PM 1003344]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bancaintesabeograd.com\online
Trusted Zone: deltabanka.rs\online
Trusted Zone: lhb.rs\www.ebank
Trusted Zone: ppbank.com\www.ebank
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://www.ebank.lhb.rs/DLL/FSINT.dll
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.deltabanka.rs/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.deltabanka.rs/RetailDLL/SGCMSCCD.DLL
DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} - hxxps://www.ebank.ppbank.com/DLL/SAWZip.dll
DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} - hxxps://www.ebank.ppbank.com/DLL/EbankingWWW.dll
DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} - hxxps://www.ebank.ppbank.com/DLL/EBCSCC2B.dll
DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} - hxxps://www.ebank.ppbank.com/DLL/EBCCDC2.dll
FF - ProfilePath - c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pimpmysearch.com/home.html?gname=Stolica
FF - component: c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: c:\documents and settings\Slavica\Application Data\Mozilla\Firefox\Profiles\k8t9pkfq.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://www.travian.org http://www.travian.at http://welt1.travian.de http://welt2.travian.de http://welt3.travian.de http://welt4.travian.de http://welt5.travian.de http://welt6.travian.de http://welt7.travian.de http://welt8.travian.de http://welt9.travian.de http://welt10.travian.de http://speed.travian.de rs1.travian.com
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1232)
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
Completion time: 2009-06-27 23:10
ComboFix-quarantined-files.txt 2009-06-27 21:10
ComboFix2.txt 2009-06-26 21:00

Pre-Run: 20,527,976,448 bytes free
Post-Run: 20,510,748,672 bytes free

306

Dopuna: 30 Jun 2009 22:49

Da li treba i dalje da se chisti shtogod?

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Napisano: 30 Jun 2009 23:36

Ups, ja zaboravio na tebe, a juce nisam bio tu. Embarassed

Samo da se saberem malo Wink

Dopuna: 30 Jun 2009 23:50

Preuzmi program OTM na Desktop.

Dvoklikom pokreni OTM.exe

U (levi) prozor programa (ispod Paste Instructions for Items to be Moved) iskopiraj sve što se nalazi unutar Kod polja:

:files
c:\WINDOWS\system32\explorĺr.exe

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\explorĺr.exe"=-

Klikni MoveIt!

Po završetku procesa, u desnom prozoru programa (ispod Results), će se nalaziti tekst koji je potrebno iskopirati u poruku na forumu.


Ukoliko se pojavi upit:

Confirm ::The system requires a reboot to finish removing files.
Do you want to reboot now?


kliknuti Yes kako bi se kompjuter restartovao i proces bio dovršen.

Nakon ponovnog pokretanja sistema, logfile će se automatski otvoriti u Notepadu.
Potrebno je iskopirati sadržaj tog loga u poruku na forumu.

offline
  • Pridružio: 17 Apr 2006
  • Poruke: 215
  • Gde živiš: Novi Sad

Eve ga log:

========== FILES ==========
File/Folder c:\WINDOWS\system32\explorĺr.exe not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\c:\\WINDOWS\\system32\\explorĺr.exe not found.

OTM by OldTimer - Version 3.0.0.2 log created on 07022009_222056

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8488
  • Gde živiš: Novi Beograd

Postavi mi sad novi ComboFix log.

Ko je trenutno na forumu
 

Ukupno su 386 korisnika na forumu :: 8 registrovanih, 1 sakriven i 377 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, Djole, HrcAk47, Oscar2, panzerwaffe, pein, samsung, uruk