Prekid interneta zbog cfdrive32.exe i msvmiode.exe

1

Prekid interneta zbog cfdrive32.exe i msvmiode.exe

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 18:41

Pozdrav, od prepodne mi se desava da mi se prekida internet, sa Malwarebytes' Anti-Malware mi prikazuje
--------------------------------------------------------
Inficirani procesi u memoriji:
C:\WINDOWS\system32\msvmiode.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\cfdrive32.exe (Trojan.Agent) -> Failed to unload process.

Inficirani moduli u memoriji:
(Maliciozne stavke nisu pronađene)

Inficirani ključevi u registru:
(Maliciozne stavke nisu pronađene)

Inficirane vrednosti u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msodesnv7 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft driver setup (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Worm.Palevo) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1412536315-7278018949-042774263-0837\syscr.exe,explorer.exe,C:\Documents and Settings\KOKI\Application Data\ltzqai.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Inficirane fascikle:
(Maliciozne stavke nisu pronađene)
-------------------------------------------------------------------------------
Odem u safe mode i obrisem a isto mi se vraca i dolazi do prekida interneta pa onda opet u safe mod i jovo nanovo!
Unapred hvala!

mycity.rs/must-login.png

Dopuna: 08 Okt 2010 18:54

Koristim 32-bitni Windows i kablovski internet

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Pozdrav, moracemo da ispostujemo neka pravila.

Procitaj uputstvo pa postavi odgovarajuce logove da bi smo mogli da nastavimo rad.

Uputstvo

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Nije dobro, fale DDS.txt i Gmer logovi.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Da, to sad radim ovo sam ti poslo cim sam napravio

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Ok, sacekaj pa postavi sve odjednom i nemoj da zaboravis DDS.txt log.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 20:11

Radim, važi!

Dopuna: 08 Okt 2010 20:43

Sa Gmerom sam gotov, evo DDS.txt log.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

DDS (Ver_10-10-05.01) - NTFSx86
Run by KOKI at 19:50:58,17 on pet 08.10.2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.165 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\msvmiode.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\PhotoFiltre\PhotoFiltre.exe
D:\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Taskman=c:\documents and settings\koki\application data\ltzqai.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-1700588231-8480441840-199934437-5100\syscr.exe,explorer.exe,c:\documents and settings\koki\application data\ltzqai.exe,Explorer.exen
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSODESNV7] c:\windows\system32\msvmiode.exe
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\koki\applic~1\mozilla\firefox\profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\reader\browser\nppdf32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-27 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-27 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-27 60936]
S2 vseamps;vseamps;"c:\program files\common files\authentium\antivirus5\vseamps.exe" --> c:\program files\common files\authentium\antivirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\common files\authentium\antivirus5\vsedsps.exe" --> c:\program files\common files\authentium\antivirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\common files\authentium\antivirus5\vseqrts.exe" --> c:\program files\common files\authentium\antivirus5\vseqrts.exe [?]

=============== Created Last 30 ================

2010-10-08 17:42:32 94208 ----a-w- c:\windows\system32\82.exe
2010-10-08 17:40:08 94208 ----a-w- c:\windows\system32\74.exe
2010-10-08 17:24:57 94208 ----a-w- c:\windows\system32\37.exe
2010-10-08 17:16:48 94208 ----a-w- c:\windows\system32\01.exe
2010-10-08 17:16:35 94208 ----a-w- c:\windows\system32\22.exe
2010-10-08 17:15:43 94208 ----a-w- c:\windows\system32\17.exe
2010-10-08 17:09:12 94208 ----a-w- c:\windows\system32\57.exe
2010-10-08 17:05:50 94208 ----a-w- c:\windows\system32\61.exe
2010-10-08 16:51:52 94208 ----a-w- c:\windows\system32\71.exe
2010-10-08 16:43:14 94208 ----a-w- c:\windows\system32\66.exe
2010-10-08 16:42:24 94208 ----a-w- c:\windows\system32\40.exe
2010-10-08 16:35:52 94208 ----a-w- c:\windows\system32\08.exe
2010-10-08 16:33:27 94208 ----a-w- c:\windows\system32\55.exe
2010-10-08 16:32:29 94208 ----a-w- c:\windows\system32\77.exe
2010-10-08 15:44:56 94208 ----a-w- c:\windows\system32\06.exe
2010-10-08 15:29:13 94208 ----a-w- c:\windows\system32\33.exe
2010-10-08 15:26:46 94208 ----a-w- c:\windows\system32\26.exe
2010-10-08 15:11:28 94208 ----a-w- c:\windows\system32\72.exe
2010-10-08 15:10:21 131072 ----a-w- c:\windows\system32\msvmiode.exe
2010-10-08 15:10:20 86016 --sh--r- c:\windows\cfdrive32.exe
2010-10-08 15:10:15 90112 --sh--r- c:\docume~1\koki\applic~1\ltzqai.exe
2010-10-08 12:58:58 94208 ----a-w- c:\windows\system32\62.exe
2010-10-08 12:54:36 94208 ----a-w- c:\windows\system32\10.exe
2010-10-08 12:49:48 94208 ----a-w- c:\windows\system32\31.exe
2010-10-08 12:40:34 94208 ----a-w- c:\windows\system32\05.exe
2010-10-08 12:18:38 94208 ----a-w- c:\windows\system32\24.exe
2010-10-08 12:15:20 94208 ----a-w- c:\windows\system32\32.exe
2010-10-08 12:09:12 94208 ----a-w- c:\windows\system32\36.exe
2010-10-08 11:39:09 131072 ----a-w- c:\windows\system32\virus.exe
2010-09-25 07:35:34 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-09-25 07:35:34 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-17 11:15:25 -------- d-sha-r- C:\cmdcons

==================== Find3M ====================

2010-07-17 03:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 00:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 19:52:15,68 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 29 Nov 2009
  • Poruke: 77

Napisano: 08 Okt 2010 21:18

ComboFix 10-10-07.02 - KOKI 08.10.2010 21:12:12.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.239 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Application Data\ltzqai.exe
c:\windows\cfdrive32.exe
c:\windows\system32\01.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\17.exe
c:\windows\system32\22.exe
c:\windows\system32\24.exe
c:\windows\system32\26.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\40.exe
c:\windows\system32\55.exe
c:\windows\system32\57.exe
c:\windows\system32\61.exe
c:\windows\system32\62.exe
c:\windows\system32\66.exe
c:\windows\system32\71.exe
c:\windows\system32\72.exe
c:\windows\system32\74.exe
c:\windows\system32\77.exe
c:\windows\system32\82.exe
c:\windows\system32\msvmiode.exe
c:\windows\system32\virus.exe

----- File Replicators -----

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IV8PYN\r[4].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1IJSHE7\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[4].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[5].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[6].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G1YVSLQ3\r[7].exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000027.exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000035.exe
c:\system volume information\_restore{E682E130-9CE3-4FC0-9397-0A80FBD58E0A}\RP1\A0000047.exe
c:\windows\system32\01.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\17.exe
c:\windows\system32\22.exe
c:\windows\system32\24.exe
c:\windows\system32\26.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\40.exe
c:\windows\system32\55.exe
c:\windows\system32\57.exe
c:\windows\system32\61.exe
c:\windows\system32\62.exe
c:\windows\system32\66.exe
c:\windows\system32\71.exe
c:\windows\system32\72.exe
c:\windows\system32\74.exe
c:\windows\system32\77.exe
c:\windows\system32\82.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

2010-09-25 07:35 . 2001-08-17 11:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-09-25 07:35 . 2001-08-17 11:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-09-22 11:17 . 2010-09-22 11:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\PDFcreator
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 18:03 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-10-08 17:58 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-09-17 13:05 . 2010-08-19 16:13 -------- d-----w- c:\program files\Common Files\Authentium
2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 12:06 . 2010-08-19 11:54 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - kgloyfod
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
Completion time: 2010-10-08 21:17:41
ComboFix-quarantined-files.txt 2010-10-08 19:17
ComboFix2.txt 2010-09-17 14:28

Pre-Run: 16.477.175.808 bytes free
Post-Run: 16.517.312.512 bytes free

- - End Of File - - C73AEB908E4A16CCDB2F16F2091A5CDE

Dopuna: 08 Okt 2010 22:59

I dalje mi detetktuje viruse!


Dopuna: 08 Okt 2010 23:47

Evo novi ComboFix jel mi je nestao yvuk pa sam updajtovo drajvere!
Napiso sam da mi je opet detektovo viruse i dobijem poruku na slici!

ComboFix 10-10-07.02 - KOKI 08.10.2010 23:31:32.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.511.330 [GMT 2:00]
Running from: c:\documents and settings\KOKI\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\KOKI\Application Data\ltzqai.exe
c:\windows\system32\20.exe
c:\windows\system32\37.exe
c:\windows\system32\53.exe
c:\windows\system32\66.exe
c:\windows\system32\76.exe
c:\windows\system32\msvmiode.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-08 21:06 . 2010-03-27 12:36 -------- d-----w- c:\documents and settings\KOKI\Application Data\Skype
2010-10-08 20:48 . 2010-08-19 11:54 -------- d-----w- c:\program files\C-Media PCI Audio Device
2010-10-08 17:58 . 2010-03-27 12:42 -------- d-----w- c:\documents and settings\KOKI\Application Data\skypePM
2010-09-22 11:17 . 2010-09-22 11:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\PDFcreator
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6787\AcrobatUpdater.exe
2010-09-17 13:05 . 2010-08-19 16:13 -------- d-----w- c:\program files\Common Files\Authentium
2010-09-04 12:22 . 2010-09-04 12:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-31 12:52 . 2010-08-31 12:52 -------- d-----w- c:\documents and settings\Administrator.KOKI-1CCE0A537D\Application Data\Malwarebytes
2010-08-19 11:53 . 2010-03-27 16:57 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-19 11:39 . 2010-08-19 11:39 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 11:39 . 2010-05-30 22:56 -------- d-----w- c:\program files\Java
2010-08-19 11:31 . 2010-08-06 11:35 -------- d-----w- c:\documents and settings\KOKI\Application Data\vlc
2010-08-19 11:29 . 2010-08-18 11:37 -------- d-----w- c:\program files\TextEdit
2010-07-17 03:00 . 2010-05-30 22:56 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

------- Sigcheck -------

[-] 2006-02-25 . 6E266AAF4168B3569A330C61AB01F6B4 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-08_19.16.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-08 21:16 . 2010-10-08 21:16 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2010-10-08 20:48 . 2004-08-03 22:56 23552 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\wdmaud.drv
+ 2010-10-08 20:48 . 2004-08-03 20:08 48640 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\stream.sys
+ 2010-10-08 20:48 . 2004-08-03 20:08 60288 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\drmk.sys
+ 2010-08-19 11:54 . 2007-02-26 19:30 36864 c:\windows\system32\cmudax3.DLL
- 2010-03-09 12:12 . 2007-02-26 19:30 36864 c:\windows\system32\cmudax3.DLL
+ 2010-10-08 20:48 . 2004-08-03 21:56 4096 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ksuser.dll
+ 2010-10-08 20:48 . 2004-08-03 20:15 145792 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\portcls.sys
+ 2010-10-08 20:48 . 2004-08-03 20:15 140928 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\ks.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- d:\program files\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
1999-12-31 22:00 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 00:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Blutut\\BlueSoleil.exe"=
"d:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [27.3.2010 20:08 135336]
S2 vseamps;vseamps;"c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [?]
S2 vsedsps;vsedsps;"c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [?]
S2 vseqrts;vseqrts;"c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe" --> c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\KOKI\Application Data\Mozilla\Firefox\Profiles\x3kgijhn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Reader\browser\nppdf32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl


.
Completion time: 2010-10-08 23:36:07
ComboFix-quarantined-files.txt 2010-10-08 21:36
ComboFix2.txt 2010-10-08 19:17
ComboFix3.txt 2010-09-17 14:28

Pre-Run: 16.462.073.856 bytes free
Post-Run: 16.455.667.712 bytes free

- - End Of File - - 5F5612E2750A8D9BF86599A20AA59F06

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Pazi ovamo, imas dva aktivna Antivirus programa, Aviru i Authentium (koji si verovatno deinstalirao, ali neuspesno).

Pogledaj ima li ga u Add or remove (AVSDK5) i probaj da ga deinstaliras.

Ako tako nece, skini sledeci fajl na desktop

https://www.mycity.rs/must-login.png

Pokreni ga i sacekaj da odradi.

...............

Nastavicemo sutra.

Ko je trenutno na forumu
 

Ukupno su 843 korisnika na forumu :: 34 registrovanih, 9 sakrivenih i 800 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, A.R.Chafee.Jr., AleksSE, Apok, blake, CheefCoach, darkangel, Doca, dogodine, doom83, Duško, General Grivas, goxin, I AM THE KING, indja, kaptain, kvarc, kybonacci, Marko Marković, Nikoloff, Oscar, powSrb, Raptor1, rovac, Sale.S, Sirius, Snorks, StepskiVuk, vasa.93, virked, Vlada1389, vladas87, zajcev1, zx16