|
Poslao: 11 Dec 2007 17:24
|
offline
- Mixelotti
- Moderator foruma
- zidam zgrade i fasade ........... i armiram-betoniram, utovaram-istovaram i nikad se ne odmaram
- Pridružio: 14 Dec 2005
- Poruke: 2481
- Gde živiš: na istoj lokaciji ali promenih četiri države
|
Logfile of HijackThis v1.99.1
Scan saved at 5:16:31 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\RFA Platinum\rfagent.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mixelotti\Desktop\ \TR3.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mixelotti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [srpskey] C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA Platinum\rfagent.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Con.....7768785363
O17 - HKLM\System\CCS\Services\Tcpip\..\{29235EB4-0B81-4859-8909-0391535A38FF}: NameServer = 212.124.160.1 212.124.160.2
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8-) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
=====
Ne mogu pristupiti D particiji na HD. Particije C i E se otvaraju bez problema.
Koristim ADSL 524 Kbps.
|
|
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 18:18
|
offline
- Mixelotti
- Moderator foruma
- zidam zgrade i fasade ........... i armiram-betoniram, utovaram-istovaram i nikad se ne odmaram
- Pridružio: 14 Dec 2005
- Poruke: 2481
- Gde živiš: na istoj lokaciji ali promenih četiri države
|
ComboFix 07-12-09.1 - Mixelotti 2007-12-11 18:06:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.539 [GMT 1:00]
Running from: C:\Documents and Settings\Mixelotti\Desktop\New Folder\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-11 15:58 . 2001-08-23 12:00 14,848 -r-hs---- C:\n1deiect.com
2007-12-11 15:57 . 2007-12-11 15:57 45,421 -r-hs---- C:\WINDOWS\system32\amvo1.dll
2007-12-10 09:05 . 2007-12-09 13:28 123,459 -r-hs---- C:\nideiect.com
2007-12-10 09:05 . 2007-12-11 15:56 44,644 --------- C:\WINDOWS\system32\amvo0.dll
2007-12-09 13:28 . 2001-08-23 12:00 14,848 -r-hs---- C:\WINDOWS\system32\amvo.exe
2007-12-06 16:51 . 2007-12-11 15:56 31,619 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2007-12-06 15:49 . 2007-12-06 15:49 98,703 -r-hs---- C:\utdetect.com
2007-11-30 04:58 . 2007-11-24 09:59 97,320 -r-hs---- C:\ntde1ect.com
2007-11-29 09:57 . 2007-11-29 09:57 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-11-24 09:59 . 2007-12-06 15:49 98,703 -r-hs---- C:\WINDOWS\system32\avpo.exe
2007-11-24 09:59 . 2007-12-06 15:49 31,619 -r-hs---- C:\WINDOWS\system32\avpo1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 16:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 16:04 --------- d-----r C:\Program Files\BOINC
2007-12-11 14:56 --------- d-----r C:\Program Files\SpeedFan
2007-12-11 09:56 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\MysteryStudio
2007-12-05 17:21 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\PlayFirst
2007-11-28 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2007-11-24 13:35 --------- d-----r C:\Program Files\Lavalys
2007-11-24 13:35 --------- d-----r C:\Program Files\Kerio
2007-11-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 11:47 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2007-10-29 19:41 --------- d-----r C:\Program Files\Macromedia
2007-10-29 19:39 --------- d-----r C:\Program Files\SAGEM
2007-10-29 19:38 --------- d-----r C:\Program Files\URUSoft
2007-10-29 19:38 --------- d-----r C:\Program Files\RFA Platinum
2007-10-29 19:37 --------- d-----r C:\Program Files\OO Software
2007-10-29 19:35 --------- d-----r C:\Program Files\Canon
2007-10-29 19:34 --------- d-----r C:\Program Files\K-Lite Codec Pack
2007-10-29 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-23 15:22 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-04-16 21:06 87,608 ----a-w C:\Documents and Settings\Mixelotti\Application Data\ezpinst.exe
2007-04-16 21:06 47,360 ----a-w C:\Documents and Settings\Mixelotti\Application Data\pcouffin.sys
2001-08-23 11:00 14,848 --sh--r C:\WINDOWS\system32\amvo.exe
2007-02-25 19:03 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 16:09]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"avpa"="C:\WINDOWS\system32\avpo.exe" [2007-12-06 15:49]
"amva"="C:\WINDOWS\system32\amvo.exe" [2001-08-23 12:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe" [2005-11-08 12:04]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-02-11 12:08]
"srpskey"="C:\WINDOWS\SYSTEM32\SRPSKEY.EXE" [2006-04-24 11:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33]
"rfagent"="C:\Program Files\RFA Platinum\rfagent.exe" [2007-04-14 15:40]
C:\Documents and Settings\Mixelotti\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2006-08-03 00:26:30]
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2006-02-08 22:38:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-10-13 03:44:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobemgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
2005-11-08 12:04 545280 --a------ C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=3 (0x3)
"AdobeActiveFileMonitor"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29c3ae4b-7fee-11dc-b842-4d6564696130}]
\Shell\AutoRun\command - F:\nideiect.com
\Shell\explore\Command - F:\nideiect.com
\Shell\open\Command - F:\nideiect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb751c1-b9aa-11db-baa9-4d6564696130}]
\Shell\AutoRun\command - C:\Program Files\Alleysoft\AutoRun Design Specialty\CDROM\autorun.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\SYSTEM32\srpskeyh3.dll
-> C:\DOCUME~1\MIXELO~1\LOCALS~1\Temp\cwblldqq.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 18:07:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 18:08:16
.
--- E O F ---
Pri pokušaju otvaranja particije se na delić sekunde pojavi jedan mali prozor u kome se nešto izlisatava ...
ne otvara se novi prozor na kome bih mogao videti sadržaj particije niti izlazi bilo kakva poruko o eventualnoj grešci.
Isto se dešava i pri pokušaju sa desnim klikom pa Open.
ps.
nakon skeniranja sa ComboFix mogu pristupiti particiji 
naravno idemo dalje kad sam već došao na kanal jer sumnjam na par stavki u HijackThis logu.
|
|
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 18:52
|
offline
- Mixelotti
- Moderator foruma
- zidam zgrade i fasade ........... i armiram-betoniram, utovaram-istovaram i nikad se ne odmaram
- Pridružio: 14 Dec 2005
- Poruke: 2481
- Gde živiš: na istoj lokaciji ali promenih četiri države
|
ComboFix 07-12-09.1 - Mixelotti 2007-12-11 18:44:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT 1:00]
Running from: C:\Documents and Settings\Mixelotti\Desktop\New Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mixelotti\Desktop\New Folder\CFScript.txt
* Created a new restore point
FILE
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\utdetect.com
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\n1deiect.com
C:\nideiect.com
C:\ntde1ect.com
C:\utdetect.com
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo0.dll
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-11-29 09:57 . 2007-11-29 09:57 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-11-24 09:59 . 2007-12-06 15:49 31,619 -r-hs---- C:\WINDOWS\system32\avpo1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 17:45 --------- d-----r C:\Program Files\BOINC
2007-12-11 17:41 --------- d-----r C:\Program Files\SpeedFan
2007-12-11 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 09:56 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\MysteryStudio
2007-12-05 17:21 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\PlayFirst
2007-11-28 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2007-11-24 13:35 --------- d-----r C:\Program Files\Lavalys
2007-11-24 13:35 --------- d-----r C:\Program Files\Kerio
2007-11-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 11:47 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2007-10-29 19:41 --------- d-----r C:\Program Files\Macromedia
2007-10-29 19:39 --------- d-----r C:\Program Files\SAGEM
2007-10-29 19:38 --------- d-----r C:\Program Files\URUSoft
2007-10-29 19:38 --------- d-----r C:\Program Files\RFA Platinum
2007-10-29 19:37 --------- d-----r C:\Program Files\OO Software
2007-10-29 19:35 --------- d-----r C:\Program Files\Canon
2007-10-29 19:34 --------- d-----r C:\Program Files\K-Lite Codec Pack
2007-10-29 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-23 15:22 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-04-16 21:06 87,608 ----a-w C:\Documents and Settings\Mixelotti\Application Data\ezpinst.exe
2007-04-16 21:06 47,360 ----a-w C:\Documents and Settings\Mixelotti\Application Data\pcouffin.sys
2007-02-25 19:03 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2007-12-11_18.07.44.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-11 14:58:55 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-11 17:43:57 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-11 14:58:55 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-11 17:43:57 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 16:09]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe" [2005-11-08 12:04]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-02-11 12:08]
"srpskey"="C:\WINDOWS\SYSTEM32\SRPSKEY.EXE" [2006-04-24 11:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33]
"rfagent"="C:\Program Files\RFA Platinum\rfagent.exe" [2007-04-14 15:40]
C:\Documents and Settings\Mixelotti\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2006-08-03 00:26:30]
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2006-02-08 22:38:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-10-13 03:44:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobemgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
2005-11-08 12:04 545280 --a------ C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=3 (0x3)
"AdobeActiveFileMonitor"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb751c1-b9aa-11db-baa9-4d6564696130}]
\Shell\AutoRun\command - C:\Program Files\Alleysoft\AutoRun Design Specialty\CDROM\autorun.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 18:47:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 18:48:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 18:08
.
--- E O F ---
|
|
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 19:08
|
offline
- Mixelotti
- Moderator foruma
- zidam zgrade i fasade ........... i armiram-betoniram, utovaram-istovaram i nikad se ne odmaram
- Pridružio: 14 Dec 2005
- Poruke: 2481
- Gde živiš: na istoj lokaciji ali promenih četiri države
|
ComboFix 07-12-09.1 - Mixelotti 2007-12-11 19:00:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.630 [GMT 1:00]
Running from: C:\Documents and Settings\Mixelotti\Desktop\New Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mixelotti\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\avpo1.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\avpo1.dll
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-11-29 09:57 . 2007-11-29 09:57 <DIR> d-------- C:\WINDOWS\system32\oodag
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 17:54 --------- d-----r C:\Program Files\BOINC
2007-12-11 17:48 --------- d-----r C:\Program Files\SpeedFan
2007-12-11 17:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 09:56 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\MysteryStudio
2007-12-05 17:21 --------- d-----w C:\Documents and Settings\Mixelotti\Application Data\PlayFirst
2007-11-28 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2007-11-24 13:35 --------- d-----r C:\Program Files\Lavalys
2007-11-24 13:35 --------- d-----r C:\Program Files\Kerio
2007-11-08 14:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-04 11:47 5,120 ----a-w C:\WINDOWS\system32\drivers\Stdsys.SYS
2007-10-29 19:41 --------- d-----r C:\Program Files\Macromedia
2007-10-29 19:39 --------- d-----r C:\Program Files\SAGEM
2007-10-29 19:38 --------- d-----r C:\Program Files\URUSoft
2007-10-29 19:38 --------- d-----r C:\Program Files\RFA Platinum
2007-10-29 19:37 --------- d-----r C:\Program Files\OO Software
2007-10-29 19:35 --------- d-----r C:\Program Files\Canon
2007-10-29 19:34 --------- d-----r C:\Program Files\K-Lite Codec Pack
2007-10-29 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-23 15:22 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-04-16 21:06 87,608 ----a-w C:\Documents and Settings\Mixelotti\Application Data\ezpinst.exe
2007-04-16 21:06 47,360 ----a-w C:\Documents and Settings\Mixelotti\Application Data\pcouffin.sys
2007-02-25 19:03 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2007-12-11_18.07.44.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-11 14:58:55 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-11 17:51:08 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-11 14:58:55 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-11 17:51:08 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 16:09]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemGuardAlerter"="C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe" [2005-11-08 12:04]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-02-11 12:08]
"srpskey"="C:\WINDOWS\SYSTEM32\SRPSKEY.EXE" [2006-04-24 11:10]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 08:33]
"rfagent"="C:\Program Files\RFA Platinum\rfagent.exe" [2007-04-14 15:40]
C:\Documents and Settings\Mixelotti\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2006-08-03 00:26:30]
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2006-02-08 22:38:36]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-10-13 03:44:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobemgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
C:\Program Files\ICQLite\ICQLite.exe -minimize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
2005-11-08 12:04 545280 --a------ C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=3 (0x3)
"AdobeActiveFileMonitor"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ose"=3 (0x3)
"IDriverT"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb751c1-b9aa-11db-baa9-4d6564696130}]
\Shell\AutoRun\command - C:\Program Files\Alleysoft\AutoRun Design Specialty\CDROM\autorun.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 19:03:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 19:04:12 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 18:48
C:\ComboFix3.txt ... 2007-12-11 18:08
.
--- E O F ---
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 19:22
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Čist log...
Potrebno je resetovati System Restore:
Iskljucivanje System Restore-a
Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Stiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.
Restartuj kompjuter.
Ukljucivanje System Restore-a
Na Desktopu, desni klik na My Computer.
Odaberite Properties.
Odaberite System Restore tab.
Destiklirajte Turn off System Restore.
Kliknite na dugme Apply.
Kliknite na dugme OK.
Aktiviraj TeaTimer (ukoliko prijavi bilo kakve promene u registru, dozvoli ih!).
Obriši folder: c:\qoobox
To bi bilo sve.
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 19:54
|
offline
- Mixelotti
- Moderator foruma
- zidam zgrade i fasade ........... i armiram-betoniram, utovaram-istovaram i nikad se ne odmaram
- Pridružio: 14 Dec 2005
- Poruke: 2481
- Gde živiš: na istoj lokaciji ali promenih četiri države
|
- isključen System Restore, restartovan kompjuter
- nakon podovnog dizanja Win uključen System Restore i zatim uključen TeaTimer
dobijam ovakav prozor :
pošto ne vidim opcije u prozorima, zamolio bih za upustvo koja komanda je za dozvolu promene u registru ?
======
još jedno pitanje :
u prvom logu vidim liniju :
Citat:O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
siguran sam da je ova linija ostala nakon instalacije i deinstalacije jedne igrice.
Više mi nije potrebna pa bih zamolio ako postoji mogućnost da i nju izbacim/deaktiviram ili šta već treba ...
Dopuna: 11 Dec 2007 19:54
Takođe vidim u ComboFix logu :
1. Citat:[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk]
backup=C:\WINDOWS\pss\Kaspersky Anti-Hacker.lnkCommon Startup
ovo je ostatak od nekadašnjeg Firewall-a
2. Citat:[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
takođe ostatak nakon deinstalacije programa
Sklonio bih i ove dve stavke jer očigledno RFA i recimo CCleaner preskaču
|
|
|
|
|
|
|
Poslao: 11 Dec 2007 20:21
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Verovatno koristiš stariju verziju SpyBot-a pa si zato naleteo na ovaj bug.
Levi taster je Allow change ( kao na slici ).
--------------------------------------------
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
U pitanju je "Protexis copy protection and license management software."
Ako si siguran da više nemaš program koji je instalirao ovaj servis, onda...
Control Panel - Administrative Tools - Services: dvoklik na ProtexisLicensing: u prozoru koji se otvori, klikni Stop, a nakon toga postavi Startup type na Disabled.
Time se proces više neće pokretati.
Ako baš hoćeš da ga totalno ukloniš sa PC-a, onda još uradi i sledeće:
Start - Run: ukucaj:
cmd
U prozoru koji se otvori, ukucaj:
sc delete ProtexisLicensing
Obriši:
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\PSIKey.exe
--------------------------------------------
U vezi dopune...
Start - Run: ukucaj:
regedit
Kada se pokrene, pronađi i obriši ključeve obeležene plavom bojom:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kaspersky Anti-Hacker.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck
|
|
|
|
|
|
