Molim pomoc komp prijavljuje da fali nesto na startu

1

Molim pomoc komp prijavljuje da fali nesto na startu

offline
  • Pridružio: 10 Maj 2005
  • Poruke: 273
  • Gde živiš: Beograd

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:00, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\GORANCE\Desktop\guty\tr3.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozzart.rs/index.jsp
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{05090535-139C-492D-8339-C438BE9B03A5}: NameServer = 212.124.160.1,82.117.194.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C324343-A816-476C-ADED-701895CD52AA}: NameServer = 212.124.160.1,212.124.160.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{05090535-139C-492D-8339-C438BE9B03A5}: NameServer = 212.124.160.1,82.117.194.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{05090535-139C-492D-8339-C438BE9B03A5}: NameServer = 212.124.160.1,82.117.194.2
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4848 bytes


u fajlu C:\WINDOWS\system32\csrcs.exe kaze da ima
win32/Packed.Autoin.Gen aplication

i jos jedan
C:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsg.vmx
win32/Conficker.AL.worm


NOD ga vidi ali kad ga obrisem pokaze mi na ekranu da windowsu hvali csrcs.exe


Hvala unapred

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Pokreni ESET Smart Security/ESET NOD32 na sledeci nacin :
Start>All Programs>ESET>ESET Smart Security ili pak ESET NOD32 Antivirus(ukoliko koristis samo Antivirus resenje).

* Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
* Izaberi Antivirus and antispyware opciju i klikni na Temporarily disable Antivirus and antispyware protection.
* Na sledece pitanje klikni Yes.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 10 Maj 2005
  • Poruke: 273
  • Gde živiš: Beograd

ComboFix 09-03-06.02 - GORANCE 2009-03-09 21:43:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT 1:00]
Running from: c:\documents and settings\GORANCE\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\azip32.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-08 20:00 . 2009-03-08 20:00 0 -rahs---- C:\kht
2009-03-08 19:58 . 2009-03-08 19:58 1,191 -rahs---- c:\windows\system32\autorun.in
2009-03-08 19:58 . 2009-03-08 19:58 1,178 -rahs---- c:\windows\system32\autorun.i
2009-03-07 00:00 . 2009-03-07 00:00 <DIR> d-------- C:\Programas
2009-03-06 23:59 . 2009-03-06 23:59 <DIR> d-------- c:\documents and settings\GORANCE\Application Data\ESET
2009-03-06 23:58 . 2009-03-07 00:28 <DIR> d-------- c:\program files\ESET
2009-03-06 21:58 . 2009-03-06 23:39 <DIR> d-------- c:\program files\COMODO
2009-03-06 21:58 . 2009-03-06 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-06 21:42 . 2009-03-06 21:43 <DIR> d-------- c:\windows\Internet Logs
2009-03-06 20:56 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-28 01:00 . 2009-03-05 19:55 <DIR> d-------- c:\program files\Winamp
2009-02-20 03:24 . 2009-02-20 03:24 <DIR> d-------- c:\program files\Readon Technology
2009-02-14 00:04 . 2009-02-14 00:04 <DIR> d-------- c:\documents and settings\GORANCE\Application Data\Participatory Culture Foundation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 01:24 --------- d-----w c:\documents and settings\GORANCE\Application Data\AIMP
2009-03-06 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-06 19:46 --------- d-----w c:\documents and settings\GORANCE\Application Data\Lavasoft
2009-02-10 18:48 --------- d-----w c:\program files\AIMP2
2009-02-02 22:06 --------- d-----w c:\documents and settings\GORANCE\Application Data\Free Download Manager
2009-02-02 20:32 --------- d-----w c:\program files\Ahead
2009-02-02 20:31 --------- d-----w c:\program files\Common Files\Ahead
2009-01-30 01:18 737,280 ----a-w c:\windows\iun6002.exe
2009-01-23 19:23 --------- d-----w c:\program files\GonVisor
2002-12-31 12:00 167,403 --sha-r c:\windows\system32\xxykeecp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"Free Uploader Oe Integration"="c:\program files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 40960]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-04-30 962560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-06-06 657168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 10:00 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GEOX"= GeoCodec.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4612:TCP"= 4612:TCP:WWW

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [2008-12-28 62824]
S2 dzgprm;dzgprm;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S2 enxdt;Helper Boot;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S2 trezifvna;Support Monitor;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2007-05-30 86144]
S3 hewtr;hewtr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-05 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-12-05 8320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dzgprm
trezifvna
enxdt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{259a9265-c7b6-11dc-9a98-0011679a5baa}]
\Shell\AutoRun\command - F:\yew.bat
\Shell\explore\Command - F:\yew.bat
\Shell\open\Command - F:\yew.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f140e04-bf2b-11dc-9a92-0011679a5baa}]
\Shell\AutoRun\command - F:\krg62.cmd
\Shell\explore\Command - F:\krg62.cmd
\Shell\open\Command - F:\krg62.cmd
.
- - - - ORPHANS REMOVED - - - -

BHO-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - c:\progra~1\MEGAUP~2\MEGAUP~1.DLL
Toolbar-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - c:\progra~1\MEGAUP~2\MEGAUP~1.DLL
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - c:\progra~1\MEGAUP~2\MEGAUP~1.DLL
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-BSplayer_WhenUSave_Installer - c:\program files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe
MSConfigStartUp-slide - c:\program files\Slide\Slide.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mozzart.rs/index.jsp
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
TCP: {05090535-139C-492D-8339-C438BE9B03A5} = 212.124.160.1,82.117.194.2
TCP: {1C324343-A816-476C-ADED-701895CD52AA} = 212.124.160.1,212.124.160.2
FF - ProfilePath - c:\documents and settings\GORANCE\Application Data\Mozilla\Firefox\Profiles\dxwpyqaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.xscores.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 21:44:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hewtr]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\enxdt]
"ServiceDll"="c:\windows\system32\xxykeecp.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trezifvna]
"ServiceDll"="c:\windows\system32\xxykeecp.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1060284298-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
Completion time: 2009-03-09 21:46:09
ComboFix-quarantined-files.txt 2009-03-09 20:45:58

Pre-Run: 31,219,974,144 bytes free
Post-Run: 31,209,508,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

159

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

gorance, ti to meni čitaš misli? I to unapred?






Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\kht
c:\windows\system32\autorun.in
c:\windows\system32\autorun.i
c:\windows\system32\xxykeecp.dll

Driver::
dzgprm
enxdt
trezifvna
hewtr

NetSvc::
dzgprm
trezifvna
enxdt

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{259a9265-c7b6-11dc-9a98-0011679a5baa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f140e04-bf2b-11dc-9a92-0011679a5baa}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 10 Maj 2005
  • Poruke: 273
  • Gde živiš: Beograd

Pa otprilike znam kako ali ne znam sta :-) gledao sam malo po ovoj temi pa zapazio da prvo mora sve ovo.



Nece izbaci ovo
Were you trying run CFScript?
The name,CFScript appears to be incorect spelt

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kao što piše: ime nije dobro napisano. File treba da se zove CFScript (ili, ako ti je aktiviran prikaz ekstenzija, CFScript.txt).

Probaj ponovo...

offline
  • Pridružio: 10 Maj 2005
  • Poruke: 273
  • Gde živiš: Beograd

ComboFix 09-03-06.02 - GORANCE 2009-03-09 22:35:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.601 [GMT 1:00]
Running from: c:\documents and settings\GORANCE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\GORANCE\Desktop\CFScript.txt.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\kht
c:\windows\system32\autorun.i
c:\windows\system32\autorun.in
c:\windows\system32\xxykeecp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kht
c:\windows\system32\autorun.i
c:\windows\system32\autorun.in
c:\windows\system32\xxykeecp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DZGPRM
-------\Legacy_ENXDT
-------\Legacy_HEWTR
-------\Legacy_TREZIFVNA
-------\Service_dzgprm
-------\Service_enxdt
-------\Service_hewtr
-------\Service_trezifvna


((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-07 00:00 . 2009-03-07 00:00 <DIR> d-------- C:\Programas
2009-03-06 23:59 . 2009-03-06 23:59 <DIR> d-------- c:\documents and settings\GORANCE\Application Data\ESET
2009-03-06 23:58 . 2009-03-07 00:28 <DIR> d-------- c:\program files\ESET
2009-03-06 21:58 . 2009-03-06 23:39 <DIR> d-------- c:\program files\COMODO
2009-03-06 21:58 . 2009-03-06 23:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-03-06 21:42 . 2009-03-06 21:43 <DIR> d-------- c:\windows\Internet Logs
2009-03-06 20:56 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-02-28 01:00 . 2009-03-05 19:55 <DIR> d-------- c:\program files\Winamp
2009-02-20 03:24 . 2009-02-20 03:24 <DIR> d-------- c:\program files\Readon Technology
2009-02-14 00:04 . 2009-02-14 00:04 <DIR> d-------- c:\documents and settings\GORANCE\Application Data\Participatory Culture Foundation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 01:24 --------- d-----w c:\documents and settings\GORANCE\Application Data\AIMP
2009-03-06 22:58 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-06 19:46 --------- d-----w c:\documents and settings\GORANCE\Application Data\Lavasoft
2009-02-10 18:48 --------- d-----w c:\program files\AIMP2
2009-02-02 22:06 --------- d-----w c:\documents and settings\GORANCE\Application Data\Free Download Manager
2009-02-02 20:32 --------- d-----w c:\program files\Ahead
2009-02-02 20:31 --------- d-----w c:\program files\Common Files\Ahead
2009-01-30 01:18 737,280 ----a-w c:\windows\iun6002.exe
2009-01-23 19:23 --------- d-----w c:\program files\GonVisor
.

((((((((((((((((((((((((((((( SnapShot@2009-03-09_21.44.37.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"Free Uploader Oe Integration"="c:\program files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 40960]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-04-30 962560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-06-06 657168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 10:00 8704 c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.GEOX"= GeoCodec.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4612:TCP"= 4612:TCP:WWW

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [2008-12-28 62824]
S3 acfva;acfva;c:\windows\system32\drivers\acfva.sys [2007-05-30 86144]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-12-05 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-12-05 8320]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mozzart.rs/index.jsp
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
TCP: {05090535-139C-492D-8339-C438BE9B03A5} = 212.124.160.1,82.117.194.2
TCP: {1C324343-A816-476C-ADED-701895CD52AA} = 212.124.160.1,212.124.160.2
FF - ProfilePath - c:\documents and settings\GORANCE\Application Data\Mozilla\Firefox\Profiles\dxwpyqaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.xscores.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 22:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1060284298-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-09 22:42:38 - machine was rebooted [GORANCE]
ComboFix-quarantined-files.txt 2009-03-09 21:42:34
ComboFix2.txt 2009-03-09 20:46:11

Pre-Run: 31,197,831,168 bytes free
Post-Run: 31,151,435,776 bytes free

149



Video sam ali kasno kad sam se iznervirao sto sam seronja :-)

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Odradi skeniranje diska antivirusom. Da li sada detektuje nešto što ne može da obriše?

Imaš li neki USB flash drive?

offline
  • Pridružio: 10 Maj 2005
  • Poruke: 273
  • Gde živiš: Beograd

Imam bar 50-tak usb flasha jer dajem radnicima svaki ponedeljak da nose neke sifre za prenose pazara menjamo ih svaku nedelju dana.
To sam provalio i mislim da sam skinuo bio je onaj valjda crv RECYCLED sto zakljucava hiden files ali videcu sad posle scan-a mizda se i vratio ;-) Jel moze to iz mreze da mi udje u komp i ako moze sta da instaliram da se zastitim?Ako je do usb-a instaliracu jednu masinu samo za to pa neka se puni koliko hoce Smile
40% nema nista samo neka tako nastavi ufff
Ovo ce da potraje javljam sta je bilo.

Dopuna: 09 Mar 2009 23:58

C:\Qoobox\Quarantine\C\WINDOWS\system32\_xxykeecp_.dll.zip » ZIP » xxykeecp.dll - Win32/Conficker.AL worm - was a part of the deleted object

Obrisao sam rucno ovo i sve iz tog foldera.

Preko mreze ulazi neki :veyujd.exe I to cu lako sherowao sam samo jedan folder pa cu iz njega lako da obrisem.
Ovakav problem imam na jos jednoj masini dali da radim ovo isto ili da se cujemo jos jednom Wink
Ostalo nema nista ako mogu da resim ovako Hvala puno a ako ima drugo resenje posavetujte me hvala jos jednom.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Problem sigurno nije isti (koliko god se to možda činilo), stoga ovde primenjen postupak nije od koristi (štaviše, može štetu da napravi).

Što se tiče čišćenja toga ili drugih kompjutera:
http://www.mycity.rs/Ambulanta/Pravila-ovog-dela-foruma.html

Stavka #9.



Ovde preostaje da uradiš sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi



To je to.

Ko je trenutno na forumu
 

Ukupno su 766 korisnika na forumu :: 32 registrovanih, 8 sakrivenih i 726 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., acko, babaroga, Bane san, bato, BORUTUS, Dorcolac, dzoni19, Georgius, girici2, goxin, ivan979, ivica976, kalens021, lovac12, manda87, Markoni29, mustangkg, Ognjen D., repac, rovac, S.Palestinac, saputnik plavetnila, Sonyboy, Srki94, Tas011, Toni, VaRvArI 85, vathra, virked, zuxbg