Malwarei na čistom Win-u

2

Malwarei na čistom Win-u

offline
  • Pridružio: 03 Maj 2005
  • Poruke: 1298
  • Gde živiš: Vršac

Poslao sam ti C:\Qoobox\Quarantine.
Jel si pogledao onaj program? Jel u njemu bio virus?

Dopuna: 20 Okt 2008 21:56

Sad sam očistio komp sa Win Tools-om i sve mi izgleda lepo.
Izbrisao sam ono što nije htelo iz start up-a i za sad sve šljaka super. Jel bio virus u onom programu?



ComboFix 08-10-18.03 - Bojan 2008-10-20 21:42:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.574 [GMT 2:00]
Running from: C:\Documents and Settings\Bojan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-19 01:02 . 2008-10-19 05:06 <DIR> d-------- C:\Program Files\Exterminate It!
2008-10-19 00:01 . 2008-10-19 00:01 <DIR> d-------- C:\Program Files\Godlike Developers
2008-10-18 23:53 . 2008-10-18 23:53 <DIR> d-------- C:\Program Files\VirtualDJ
2008-10-18 23:49 . 2008-10-18 23:51 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-10-18 23:49 . 2008-10-18 23:49 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-18 23:49 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-10-18 23:47 . 2008-10-19 00:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 23:42 . 2008-10-18 23:42 <DIR> d-------- C:\Program Files\FastStone Image Viewer
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Program Files\illiminable
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Documents and Settings\Bojan\Application Data\vlc
2008-10-18 23:38 . 2008-10-18 23:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 23:29 . 2008-10-18 23:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-10-18 22:51 . 2008-10-18 22:51 <DIR> d-------- C:\Program Files\Opera
2008-10-18 19:55 . 2008-10-18 19:55 <DIR> d-------- C:\PROGRAMI BEZ INSTALACIJE
2008-10-18 19:00 . 2008-10-18 19:00 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-10-18 18:35 . 2008-10-18 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\KONAMI
2008-10-18 18:13 . 2008-10-18 18:13 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-10-18 18:12 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-10-18 18:07 . 2008-10-18 18:08 <DIR> d-------- C:\totalcmd
2008-10-18 18:07 . 2008-10-19 00:22 611 --a------ C:\WINDOWS\wincmd.ini
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\UC.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\RAR.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\LHA.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\ARJ.PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Bojan\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-06-24 1642496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 349056]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 24608]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-18 306432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 21:45:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Completion time: 2008-10-20 21:47:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-20 19:47:41
ComboFix2.txt 2008-10-20 07:44:47
ComboFix3.txt 2008-10-19 23:12:59

Pre-Run: 15,353,933,824 bytes free
Post-Run: 15,318,810,624 bytes free

130

Dopuna: 20 Okt 2008 21:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:13, on 20-Oct-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Bojan\Desktop\New Folder\TR3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4175 bytes

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Onaj program je izgleda cist. Skenirao sam ga na VirusTotalu, i ni jedan od 36 antivirusa nije rekao nista.
Hteo sam i da ga pustim u sandbox tehnickog univerziteta u Becu, ali im je sandbox trenutno van stroja. On bi nam tacno rekao sta ovaj program radi.


Ovaj tip virusa obicno upada preko web sajtova. Obicno ti se prikaze poruka da ti fali neki codec kako bi mogao da pogledas neki video na tom sajtu.
Ne mora nista da klikces - malware se vec ubacio na komp.

Logovi izgledaju OK.
Ostavi ComboFix jos koji dan na racunaru, pa ako ni nakon par dana nema nekih simptoma onda gore imas opisanu proceduru deinstalacije ComboFixa.

offline
  • Pridružio: 03 Maj 2005
  • Poruke: 1298
  • Gde živiš: Vršac

Ok, hvala ti puno.
Ja sam taj program skinuo sa rapidshare-a a taj link više ne radi.Ovaj koji sam ti poslao je skinut sa MegaUploud-a i moguće da taj nije zaražen, mada je oba linka postovala ista osoba.Meni je Kaspersky pri instalaciji našao zarazu i sve se usporilo.Sada kada kažeš da nema ništa padam u iskušenje da ga instaliram opet.Ali ipak neću, šta je sigurno - sigurno je.
Hvala Bobby.

Dopuna: 21 Okt 2008 2:59

Nije dobro, opet se nešto vratilo.
Ovo sve mogu da izbrišem ručno i izbacim iz start up-a ali se pojavilo samo.




Ovo Autorun.exe imam na sve četiri particije.
A ovo Setup_ver1.1779.2.exe imam samo na C i pojavilo se samo.
Sad ću okačim i logove.

Dopuna: 21 Okt 2008 3:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:27, on 21-Oct-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Documents and Settings\Bojan\Desktop\New Folder\TR3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4140 bytes

Dopuna: 21 Okt 2008 3:15

ComboFix 08-10-18.03 - Bojan 2008-10-21 3:00:05.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT 2:00]
Running from: C:\Documents and Settings\Bojan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
D:\Autorun.inf
E:\Autorun.inf
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-21 02:35 . 2008-10-21 02:35 87,212 --a------ C:\Setup_ver1.1779.2.exe
2008-10-21 02:35 . 2008-10-21 02:35 46,130 --a------ C:\Autorun.exe
2008-10-21 01:54 . 2008-10-21 01:54 <DIR> d-------- C:\Program Files\Doomsday
2008-10-21 01:47 . 2008-10-21 01:47 0 --a------ C:\WINDOWS\WB.ini
2008-10-21 01:36 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-10-19 01:02 . 2008-10-19 05:06 <DIR> d-------- C:\Program Files\Exterminate It!
2008-10-19 00:01 . 2008-10-19 00:01 <DIR> d-------- C:\Program Files\Godlike Developers
2008-10-18 23:53 . 2008-10-18 23:53 <DIR> d-------- C:\Program Files\VirtualDJ
2008-10-18 23:49 . 2008-10-18 23:51 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-10-18 23:49 . 2008-10-18 23:49 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-18 23:49 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-10-18 23:47 . 2008-10-19 00:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 23:42 . 2008-10-18 23:42 <DIR> d-------- C:\Program Files\FastStone Image Viewer
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Program Files\illiminable
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Documents and Settings\Bojan\Application Data\vlc
2008-10-18 23:38 . 2008-10-18 23:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 23:29 . 2008-10-18 23:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-10-18 22:51 . 2008-10-18 22:51 <DIR> d-------- C:\Program Files\Opera
2008-10-18 19:55 . 2008-10-21 01:20 <DIR> d-------- C:\PROGRAMI BEZ INSTALACIJE
2008-10-18 19:00 . 2008-10-18 19:00 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-10-18 18:35 . 2008-10-18 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\KONAMI
2008-10-18 18:13 . 2008-10-18 18:13 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-10-18 18:12 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-10-18 18:07 . 2008-10-18 18:08 <DIR> d-------- C:\totalcmd
2008-10-18 18:07 . 2008-10-19 00:22 611 --a------ C:\WINDOWS\wincmd.ini
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\UC.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\RAR.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\LHA.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\ARJ.PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 23:36 --------- d-----w C:\Program Files\Stardock
2008-10-18 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Bojan\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-06-24 1642496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-10-21 01:38 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 349056]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 24608]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-18 306432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 03:02:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Completion time: 2008-10-21 3:05:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 01:05:32
ComboFix2.txt 2008-10-20 19:47:45
ComboFix3.txt 2008-10-20 07:44:47
ComboFix4.txt 2008-10-19 23:12:59

Pre-Run: 15,191,629,824 bytes free
Post-Run: 15,181,037,568 bytes free

147

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Desni klik na sred forme programa. Pojaviće se menij u kojem je potrebno otići na Options i tu štiklirati opciju Only non MS files
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao fajl file3.txt


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde fajl koji smo malopre snimili

offline
  • Pridružio: 03 Maj 2005
  • Poruke: 1298
  • Gde živiš: Vršac

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Nista. Cisti logovi.

Jesi li zaustavio Spooler servis kada sam ti gore rekao da to uradis pre pustanja skripta?
To je jedino mesto na kojem je infekcija mogla da ostane u memoriji, pa da odatle ponovo formira fajlove na disku.

offline
  • Pridružio: 03 Maj 2005
  • Poruke: 1298
  • Gde živiš: Vršac

Isključio sam tada ali mi je trenutno opet uključen.Sad da li se on sam uključi ili ga je nešto uključilo nemam pojma. Jel da ga isključim? Ionako nemam štampač.

Dopuna: 21 Okt 2008 21:01

E da, danas kad sam došao sa posla i uključio komp one ikonice particija su se vratile u normalu - same.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Iskljuci Spooler, i kada vidis da je iskljucen tada pusti ponovo HijackThis i ComboFix.

Sto se tice ikonica - one se zeznu ukoliko u rootu particije postoji fajl autorun.inf.

offline
  • Pridružio: 03 Maj 2005
  • Poruke: 1298
  • Gde živiš: Vršac

ComboFix 08-10-18.03 - Bojan 2008-10-21 21:39:28.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.554 [GMT 2:00]
Running from: C:\Documents and Settings\Bojan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.

2008-10-21 19:58 . 2008-10-21 19:58 79,878 --a------ C:\WINDOWS\RGI11.tmp
2008-10-21 17:48 . 2008-10-21 17:48 250 --a------ C:\WINDOWS\gmer.ini
2008-10-21 01:54 . 2008-10-21 01:54 <DIR> d-------- C:\Program Files\Doomsday
2008-10-21 01:47 . 2008-10-21 01:47 0 --a------ C:\WINDOWS\WB.ini
2008-10-21 01:36 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-10-19 01:02 . 2008-10-19 05:06 <DIR> d-------- C:\Program Files\Exterminate It!
2008-10-19 00:01 . 2008-10-19 00:01 <DIR> d-------- C:\Program Files\Godlike Developers
2008-10-18 23:53 . 2008-10-18 23:53 <DIR> d-------- C:\Program Files\VirtualDJ
2008-10-18 23:49 . 2008-10-18 23:51 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-10-18 23:49 . 2008-10-18 23:49 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-10-18 23:49 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-10-18 23:47 . 2008-10-19 00:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-18 23:42 . 2008-10-18 23:42 <DIR> d-------- C:\Program Files\FastStone Image Viewer
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Program Files\illiminable
2008-10-18 23:39 . 2008-10-18 23:39 <DIR> d-------- C:\Documents and Settings\Bojan\Application Data\vlc
2008-10-18 23:38 . 2008-10-18 23:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-18 23:34 . 2008-10-18 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 23:29 . 2008-10-18 23:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-10-18 22:51 . 2008-10-18 22:51 <DIR> d-------- C:\Program Files\Opera
2008-10-18 19:55 . 2008-10-21 01:20 <DIR> d-------- C:\PROGRAMI BEZ INSTALACIJE
2008-10-18 19:00 . 2008-10-18 19:00 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-10-18 18:35 . 2008-10-18 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\KONAMI
2008-10-18 18:13 . 2008-10-18 18:13 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-10-18 18:12 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-10-18 18:07 . 2008-10-18 18:08 <DIR> d-------- C:\totalcmd
2008-10-18 18:07 . 2008-10-19 00:22 611 --a------ C:\WINDOWS\wincmd.ini
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\UC.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\RAR.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\LHA.PIF
2008-10-18 18:07 . 2008-08-08 07:04 545 --a------ C:\WINDOWS\ARJ.PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 23:36 --------- d-----w C:\Program Files\Stardock
2008-10-18 21:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-10-18 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
.

((((((((((((((((((((((((((((( snapshot@2008-10-20_21.47.24.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-21 15:48:02 884,736 ----a-w C:\WINDOWS\gmer.dll
+ 2008-04-17 19:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe
+ 2008-10-21 15:48:02 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Bojan\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-06-24 1642496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 1 (0x1)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-10-21 01:38 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 349056]
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 24608]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-10-18 306432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 21:42:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Completion time: 2008-10-21 21:45:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-21 19:45:04
ComboFix2.txt 2008-10-21 01:05:37
ComboFix3.txt 2008-10-20 19:47:45
ComboFix4.txt 2008-10-20 07:44:47
ComboFix5.txt 2008-10-21 19:39:15

Pre-Run: 15,154,765,824 bytes free
Post-Run: 15,143,968,768 bytes free

147

Dopuna: 21 Okt 2008 21:50

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:48:17, on 21-Oct-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Bojan\Desktop\New Folder\TR3.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4142 bytes

Dopuna: 21 Okt 2008 21:55

Komp mi lepo radi, samo što se ovo juče pojavilo.Onaj printer spooler sam satavio da se ne pokreće automatski.Ako budem imap većih problema javiću se a ako šljaka ovako, biću zadovoljan.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ni u logovima nema niceg.

Javi ako se ponovo nesto pojavi.

Ko je trenutno na forumu
 

Ukupno su 1329 korisnika na forumu :: 44 registrovanih, 7 sakrivenih i 1278 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., antonije64, Areal84, babaroga, bladesu, Brana01, cenejac111, cikadeda, CikaKURE, Dimitrije Paunovic, Dorcolac, DPera, draganl, Faki-Valjevo, galijot, GandorCC, Georgius, hyla, ikan, kihot, kolle.the.kid, krkalon, Krvava Devetka, kybonacci, Lieutenant, ljuba, markF, Mcdado, mercedesamg, Milos ZA, MilosKop, milutin134, Miroljub1979, Mixelotti, nemkea71, nick79, Parker, prashinar, procesor, robert1979, S-lash, Smd, vathra, 79693