Prekid interneta zbog cfdrive32.exe i msvmiode.exe

1

Prekid interneta zbog cfdrive32.exe i msvmiode.exe

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 18:41

Pozdrav, od prepodne mi se desava da mi se prekida internet, sa Malwarebytes' Anti-Malware mi prikazuje
--------------------------------------------------------
Inficirani procesi u memoriji:
C:\WINDOWS\system32\msvmiode.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\cfdrive32.exe (Trojan.Agent) -> Failed to unload process.

Inficirani moduli u memoriji:
(Maliciozne stavke nisu pronađene)

Inficirani ključevi u registru:
(Maliciozne stavke nisu pronađene)

Inficirane vrednosti u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msodesnv7 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft driver setup (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Worm.Palevo) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1412536315-7278018949-042774263-0837\syscr.exe,explorer.exe,C:\Documents and Settings\KOKI\Application Data\ltzqai.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Inficirane fascikle:
(Maliciozne stavke nisu pronađene)
-------------------------------------------------------------------------------
Odem u safe mode i obrisem a isto mi se vraca i dolazi do prekida interneta pa onda opet u safe mod i jovo nanovo!
Unapred hvala!

mycity.rs/must-login.png

Dopuna: 08 Okt 2010 18:54

Koristim 32-bitni Windows i kablovski internet

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Pozdrav, moracemo da ispostujemo neka pravila.

Procitaj uputstvo pa postavi odgovarajuce logove da bi smo mogli da nastavimo rad.

Uputstvo

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Nije dobro, fale DDS.txt i Gmer logovi.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Da, to sad radim ovo sam ti poslo cim sam napravio

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Ok, sacekaj pa postavi sve odjednom i nemoj da zaboravis DDS.txt log.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 20:11

Radim, važi!

Dopuna: 08 Okt 2010 20:43

Sa Gmerom sam gotov, evo DDS.txt log.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

DDS (Ver_10-10-05.01) - NTFSx86
Run by KOKI at 19:50:58,17 on pet 08.10.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.165 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\msvmiode.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\PhotoFiltre\PhotoFiltre.exe
D:\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Taskman=c:\documents and settings\koki\application data\ltzqai.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-1700588231-8480441840-199934437-5100\syscr.exe,explorer.exe,c:\documents and settings\koki\application data\ltzqai.exe,Explorer.exen
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSODESNV7] c:\windows\system32\msvmiode.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\koki\applic~1\mozilla\firefox\profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\reader\browser\nppdf32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-27 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-27 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-27 60936]
S2 vseamps;vseamps;"c:\program files\common files\authentium\antivirus5\vseamps.exe" --> c:\program files\common files\authentium\antivirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\common files\authentium\antivirus5\vsedsps.exe" --> c:\program files\common files\authentium\antivirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\common files\authentium\antivirus5\vseqrts.exe" --> c:\program files\common files\authentium\antivirus5\vseqrts.exe [?]

=============== Created Last 30 ================

2010-10-08 17:42:32 94208 ----a-w- c:\windows\system32\82.exe
2010-10-08 17:40:08 94208 ----a-w- c:\windows\system32\74.exe
2010-10-08 17:24:57 94208 ----a-w- c:\windows\system32\37.exe
2010-10-08 17:16:48 94208 ----a-w- c:\windows\system32\01.exe
2010-10-08 17:16:35 94208 ----a-w- c:\windows\system32\22.exe
2010-10-08 17:15:43 94208 ----a-w- c:\windows\system32\17.exe
2010-10-08 17:09:12 94208 ----a-w- c:\windows\system32\57.exe
2010-10-08 17:05:50 94208 ----a-w- c:\windows\system32\61.exe
2010-10-08 16:51:52 94208 ----a-w- c:\windows\system32\71.exe
2010-10-08 16:43:14 94208 ----a-w- c:\windows\system32\66.exe
2010-10-08 16:42:24 94208 ----a-w- c:\windows\system32\40.exe
2010-10-08 16:35:52 94208 ----a-w- c:\windows\system32\08.exe
2010-10-08 16:33:27 94208 ----a-w- c:\windows\system32\55.exe
2010-10-08 16:32:29 94208 ----a-w- c:\windows\system32\77.exe
2010-10-08 15:44:56 94208 ----a-w- c:\windows\system32\06.exe
2010-10-08 15:29:13 94208 ----a-w- c:\windows\system32\33.exe
2010-10-08 15:26:46 94208 ----a-w- c:\windows\system32\26.exe
2010-10-08 15:11:28 94208 ----a-w- c:\windows\system32\72.exe
2010-10-08 15:10:21 131072 ----a-w- c:\windows\system32\msvmiode.exe
2010-10-08 15:10:20 86016 --sh--r- c:\windows\cfdrive32.exe
2010-10-08 15:10:15 90112 --sh--r- c:\docume~1\koki\applic~1\ltzqai.exe
2010-10-08 12:58:58 94208 ----a-w- c:\windows\system32\62.exe
2010-10-08 12:54:36 94208 ----a-w- c:\windows\system32\10.exe
2010-10-08 12:49:48 94208 ----a-w- c:\windows\system32\31.exe
2010-10-08 12:40:34 94208 ----a-w- c:\windows\system32\05.exe
2010-10-08 12:18:38 94208 ----a-w- c:\windows\system32\24.exe
2010-10-08 12:15:20 94208 ----a-w- c:\windows\system32\32.exe
2010-10-08 12:09:12 94208 ----a-w- c:\windows\system32\36.exe
2010-10-08 11:39:09 131072 ----a-w- c:\windows\system32\virus.exe
2010-09-25 07:35:34 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-09-25 07:35:34 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-17 11:15:25 -------- d-sha-r- C:\cmdcons

==================== Find3M ====================

2010-07-17 03:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 00:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 19:52:15,68 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 21:18

ComboFix 10-10-07.02 - KOKI 08.10.2010 21:12:12.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.239 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Application Data\ltzqai.exe
c:\windows\cfdrive32.exe
c:\windows\system32\01.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\17.exe
c:\windows\system32\22.exe
c:\windows\system32\24.exe
c:\windows\system32\26.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\40.exe
c:\windows\system32\55.exe
c:\windows\system32\57.exe
c:\windows\system32\61.exe
c:\windows\system32\62.exe
c:\windows\system32\66.exe
c:\windows\system32\71.exe
c:\windows\system32\72.exe
c:\windows\system32\74.exe
c:\windows\system32\77.exe
c:\windows\system32\82.exe
c:\windows\system32\msvmiode.exe
c:\windows\system32\virus.exe

----- File Replicators -----

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[4].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[4].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[5].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[6].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[7].exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000027.exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000035.exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000047.exe
c:\windows\system32\01.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\17.exe
c:\windows\system32\22.exe
c:\windows\system32\24.exe
c:\windows\system32\26.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\40.exe
c:\windows\system32\55.exe
c:\windows\system32\57.exe
c:\windows\system32\61.exe
c:\windows\system32\62.exe
c:\windows\system32\66.exe
c:\windows\system32\71.exe
c:\windows\system32\72.exe
c:\windows\system32\74.exe
c:\windows\system32\77.exe
c:\windows\system32\82.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-09-25 07:35 . 2001-08-17 11:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-09-25 07:35 . 2001-08-17 11:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-22 11:17 . 2010-09-22 11:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\PDFcreator
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 18:03 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-10-08 17:58 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-09-17 13:05 . 2010-08-19 16:13 -------- d-----w- c:\program files\Common Files\Authentium
2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 12:06 . 2010-08-19 11:54 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - kgloyfod
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
Completion time: 2010-10-08 21:17:41
ComboFix-quarantined-files.txt 2010-10-08 19:17
ComboFix2.txt 2010-09-17 14:28

Pre-Run: 16.477.175.808 bytes free
Post-Run: 16.517.312.512 bytes free

- - End Of File - - C73AEB908E4A16CCDB2F16F2091A5CDE

Dopuna: 08 Okt 2010 22:59

I dalje mi detetktuje viruse!


Dopuna: 08 Okt 2010 23:47

Evo novi ComboFix jel mi je nestao yvuk pa sam updajtovo drajvere!
Napiso sam da mi je opet detektovo viruse i dobijem poruku na slici!

ComboFix 10-10-07.02 - KOKI 08.10.2010 23:31:32.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.330 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Application Data\ltzqai.exe
c:\windows\system32\20.exe
c:\windows\system32\37.exe
c:\windows\system32\53.exe
c:\windows\system32\66.exe
c:\windows\system32\76.exe
c:\windows\system32\msvmiode.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 21:06 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-10-08 20:48 . 2010-08-19 11:54 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-10-08 17:58 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-09-22 11:17 . 2010-09-22 11:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\PDFcreator
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AcrobatUpdater.exe
2010-09-17 13:05 . 2010-08-19 16:13 -------- d-----w- c:\program files\Common Files\Authentium
2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-08_19.16.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-08 21:16 . 2010-10-08 21:16 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2010-10-08 20:48 . 2004-08-03 22:56 23552 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\wdmaud.drv
+ 2010-10-08 20:48 . 2004-08-03 20:08 48640 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\stream.sys
+ 2010-10-08 20:48 . 2004-08-03 20:08 60288 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\drmk.sys
+ 2010-08-19 11:54 . 2007-02-26 19:30 36864 c:\windows\system32\cmudax3.DLL
- 2010-03-09 12:12 . 2007-02-26 19:30 36864 c:\windows\system32\cmudax3.DLL
+ 2010-10-08 20:48 . 2004-08-03 21:56 4096 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ksuser.dll
+ 2010-10-08 20:48 . 2004-08-03 20:15 145792 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\portcls.sys
+ 2010-10-08 20:48 . 2004-08-03 20:15 140928 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ks.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl


.
Completion time: 2010-10-08 23:36:07
ComboFix-quarantined-files.txt 2010-10-08 21:36
ComboFix2.txt 2010-10-08 19:17
ComboFix3.txt 2010-09-17 14:28

Pre-Run: 16.462.073.856 bytes free
Post-Run: 16.455.667.712 bytes free

- - End Of File - - 5F5612E2750A8D9BF86599A20AA59F06

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Pazi ovamo, imas dva aktivna Antivirus programa, Aviru i Authentium (koji si verovatno deinstalirao, ali neuspesno).

Pogledaj ima li ga u Add or remove (AVSDK5) i probaj da ga deinstaliras.

Ako tako nece, skini sledeci fajl na desktop

https://www.mycity.rs/must-login.png

Pokreni ga i sacekaj da odradi.

...............

Nastavicemo sutra.

Ko je trenutno na forumu
 

Ukupno su 688 korisnika na forumu :: 37 registrovanih, 2 sakrivenih i 649 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, 9k38, ALBION101, aleksmajstor, aramis s, Bane san, bato, bojank, cenejac111, cetka, Cirkon, cole77, Džordžino, flash12, FOX, galijot, goxin, havoc995, Hektor, Krusarac, KUZMAR, MarKhan, Markoni29, mige, milos.cbr, Mixelotti, moldway, nemkea71, pedja.st, pein, pera bager, rodoljub, royst33, samsung, Smiljke, Tas011, vlvl