Problem sa virusom (axxxl.exe, autoran.inf , kht i khu)

1

Problem sa virusom (axxxl.exe, autoran.inf , kht i khu)

offline
  • Pridružio: 09 Jul 2009
  • Poruke: 21
  • Gde živiš: Kosjeric, Zapadna Srbija

Problem je takve prirode da pri uključivanju računara virus sakriva hidden fajlove i na svakoj particiji otvara kht sistem fajl, a nekada i khu sistem fajl. Znači to je fajl koji nema extension već ga mu je dodeljeno samo ime (kht i khu).
Redovno ažuriram i koristim Avira Free Antivirus, ali on samo prepozna exe fajl obriše ga i tu je kraj, ali neki drugi fajl pravi Autoran fajl i pomenute fajlove sa početka poruke.
Zanimljivo je takođe da se pri poevezivanju u mrežu exe, autoran fajl i kht fajlovi javljaju u svim sherovanim folderima ili particijama.
Ako bude trebalo još informacija tu sam.

HiJack sadržaj:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:42, on 10.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WF2K.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\net.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\system32\WF2K.EXE Initial
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2ADFC642-0698-47D7-A4FC-52995C1CA721}: NameServer = 192.168.100.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{2ADFC642-0698-47D7-A4FC-52995C1CA721}: NameServer = 192.168.100.252
O17 - HKLM\System\CS2\Services\Tcpip\..\{2ADFC642-0698-47D7-A4FC-52995C1CA721}: NameServer = 192.168.100.252
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6426 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 09 Jul 2009
  • Poruke: 21
  • Gde živiš: Kosjeric, Zapadna Srbija

Hvala, za do sada ulo\en trud.
ComboFix log:



ComboFix 09-07-08.07 - Milovan 10.07.2009 17:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1361 [GMT 2:00]
Running from: e:\02 software\01 Internet\Zastita\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\18574.msi
c:\windows\system32\csrcs.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 13:54 . 2009-07-10 13:54 -------- d-----w- c:\program files\Trend Micro
2009-07-08 22:52 . 2009-07-08 22:52 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-08 22:37 . 2009-07-09 07:38 1863712 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-08 22:37 . 2009-07-09 07:38 12064 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-08 22:05 . 2009-07-10 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-08 21:50 . 2009-07-08 21:50 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-07-08 21:46 . 2009-07-09 07:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-08 21:46 . 2009-07-09 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-08 21:46 . 2009-07-08 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-07-08 21:45 . 2009-07-08 21:45 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Downloaded Installations
2009-07-08 21:42 . 2002-01-05 09:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-07-08 21:42 . 2002-01-05 03:40 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-07-08 21:42 . 2009-07-08 21:42 -------- d-----w- c:\program files\AML Products
2009-07-08 21:42 . 2002-01-05 04:48 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-07-06 15:36 . 2009-07-06 15:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-06 15:31 . 2009-07-06 15:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-07-06 15:31 . 2009-07-06 15:35 -------- d-----w- c:\program files\Google
2009-07-06 12:36 . 2009-07-06 15:35 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Temp
2009-07-06 12:36 . 2009-07-06 15:35 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Google
2009-06-28 19:25 . 2009-06-28 19:26 -------- d-----w- c:\program files\QuickTime
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Apple
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Apple Computer
2009-06-28 18:33 . 2009-06-28 18:33 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Microsoft Help
2009-06-28 18:33 . 2009-06-28 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-26 14:36 . 2009-06-26 14:36 -------- d-----w- c:\program files\MSXML 6.0
2009-06-26 14:32 . 2009-06-26 14:33 -------- d-----w- C:\3dsmax9Tutorials
2009-06-26 14:15 . 2009-06-26 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-26 14:09 . 2009-06-26 14:21 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Autodesk
2009-06-26 14:09 . 2009-06-26 14:18 -------- d-----w- c:\program files\Autodesk
2009-06-26 14:09 . 2009-06-26 14:18 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-26 14:04 . 2009-04-29 04:55 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-06-26 14:04 . 2009-04-29 04:55 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-06-26 14:04 . 2009-04-29 04:55 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 14:04 . 2009-04-29 04:55 383488 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-06-26 14:04 . 2009-04-29 04:55 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-06-26 14:04 . 2009-04-28 09:05 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-06-26 14:04 . 2008-07-09 14:25 2455488 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-26 14:04 . 2009-04-29 04:55 6066176 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 14:02 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-06-26 14:00 . 2009-06-26 14:01 -------- d-----w- C:\3dsmax9Trial
2009-06-26 01:30 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-26 01:30 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-06-26 01:28 . 2009-02-06 17:22 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-26 01:28 . 2009-02-06 17:24 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-26 01:28 . 2009-02-06 16:49 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-26 01:28 . 2009-02-06 16:49 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-06-26 01:16 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-25 23:06 . 2009-06-25 23:06 -------- d-----w- c:\program files\uTorrent
2009-06-25 23:06 . 2009-07-08 21:46 -------- d-----w- c:\documents and settings\Milovan\Application Data\uTorrent
2009-06-25 23:03 . 2009-06-28 18:10 -------- d--h--w- c:\windows\$hf_mig$
2009-06-25 17:54 . 2009-07-10 14:04 -------- d-----w- c:\documents and settings\Milovan\Application Data\skypePM
2009-06-25 17:54 . 2009-06-25 17:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-25 17:51 . 2009-07-10 15:03 -------- d-----w- c:\documents and settings\Milovan\Application Data\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----w- c:\program files\Common Files\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----r- c:\program files\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-25 00:53 . 2009-06-25 00:53 -------- d-----w- c:\program files\Foxit Software
2009-06-25 00:53 . 2009-06-25 00:53 -------- d-----w- c:\documents and settings\Milovan\Application Data\Foxit
2009-06-25 00:50 . 2009-06-25 17:56 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Adobe
2009-06-25 00:44 . 2009-06-25 00:44 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 00:44 . 2009-06-25 00:44 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Mozilla
2009-06-25 00:21 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-25 00:21 . 2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-25 00:21 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-25 00:21 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-25 00:20 . 2009-06-25 00:20 -------- d-----w- c:\program files\Avira
2009-06-25 00:20 . 2009-06-25 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-22 13:23 . 2009-06-22 13:23 239088 ----a-w- c:\documents and settings\Milovan\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-19 22:14 . 2009-06-19 22:14 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Macromedia
2009-06-19 22:07 . 2009-06-19 22:07 45056 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-06-19 22:07 . 2009-06-19 22:08 -------- d-----w- c:\program files\Macromedia
2009-06-19 22:07 . 2009-06-19 22:07 -------- d-----w- c:\program files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 07:38 . 2009-07-08 22:37 3200 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-09 07:38 . 2009-07-08 22:37 31256 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-08 21:46 . 2009-05-22 14:55 72568 ----a-w- c:\documents and settings\Milovan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 18:38 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\program files\Rhinoceros 3.0
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\program files\Common Files\McNeel Shared
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McNeel
2009-05-25 16:05 . 2009-05-25 15:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-25 16:02 . 2009-05-25 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-05-25 16:02 . 2009-05-25 16:02 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-05-24 23:44 . 2009-05-22 00:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-24 12:03 . 2009-05-22 23:23 -------- d-----w- c:\documents and settings\Milovan\Application Data\CyberLink
2009-05-22 16:06 . 2009-05-22 16:02 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-05-22 16:06 . 2009-05-22 00:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-22 16:04 . 2009-05-22 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-22 16:04 . 2009-05-22 16:03 -------- d-----w- c:\program files\CyberLink
2009-05-22 15:59 . 2009-05-22 14:55 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-22 15:59 . 2009-05-22 14:55 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-22 15:57 . 2009-05-22 14:55 88 --sh--r- c:\documents and settings\All Users\Application Data\F5842AF8EC.sys
2009-05-22 15:57 . 2009-05-22 14:55 88 --sh--r- c:\documents and settings\All Users\Application Data\F5842AF8EC.sys
2009-05-22 14:55 . 2009-05-22 14:55 -------- d-----w- c:\documents and settings\Milovan\Application Data\Corel
2009-05-22 07:43 . 2009-05-22 07:43 -------- d-----w- c:\program files\Common Files\Protexis
2009-05-22 07:43 . 2009-05-22 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-05-22 07:41 . 2009-05-22 07:41 -------- d-----w- c:\program files\Common Files\Corel
2009-05-22 07:36 . 2009-05-22 07:36 -------- d-----w- c:\program files\Corel
2009-05-22 07:30 . 2009-05-22 07:30 -------- d-----w- c:\program files\CorelDRAW Graphics Suite X4
2009-05-22 07:27 . 2009-05-22 07:27 -------- d-----w- c:\documents and settings\Milovan\Application Data\Design Science
2009-05-22 07:27 . 2009-05-22 07:27 -------- d-----w- c:\program files\MathType
2009-05-22 07:23 . 2009-05-22 07:23 -------- d-----w- c:\program files\Common Files\L&H
2009-05-22 07:22 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft.NET
2009-05-22 07:22 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-22 07:17 . 2009-05-22 07:17 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-05-22 07:15 . 2009-05-22 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-05-22 07:15 . 2009-05-22 07:15 -------- d-----w- c:\program files\WinFast
2009-05-22 07:09 . 2009-05-22 00:07 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-22 07:04 . 2009-05-22 07:04 -------- d-----w- c:\program files\Attansic
2009-05-22 06:55 . 2009-05-22 06:55 -------- d-----w- c:\program files\Realtek
2009-05-22 06:32 . 2009-05-22 06:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-05-22 06:32 . 2009-05-22 06:32 98477 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_A3D2A7B84B2B0FD79E5279.exe
2009-05-22 06:32 . 2009-05-22 06:32 98477 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_6FEFF9B68218417F98F549.exe
2009-05-22 06:32 . 2009-05-22 06:32 10134 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_42896BCF9DF5217C8262B0.exe
2009-05-22 06:32 . 2009-05-22 06:32 -------- d-----w- c:\program files\Folding@home
2009-05-22 06:32 . 2009-05-22 06:32 -------- d-----w- c:\documents and settings\Milovan\Application Data\Folding@home-gpu
2009-05-22 06:03 . 2009-05-22 06:03 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-22 06:02 . 2009-05-22 06:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-22 05:30 . 2009-05-21 23:58 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-22 00:08 . 2009-05-22 00:08 -------- d-----w- c:\program files\VIA
2009-05-22 00:08 . 2009-05-22 00:08 -------- d-----w- c:\program files\AMD
2009-05-22 00:02 . 2009-05-22 00:02 -------- d-----w- c:\program files\microsoft frontpage
2009-05-07 15:44 . 2004-08-03 22:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-03 22:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-03 22:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-03 21:17 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-03 22:56 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2004-03-11 11:27 . 2009-05-22 16:03 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"PowerBar"="c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2003-12-22 86016]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-23 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"WinFoxV2"="c:\windows\system32\WF2K.EXE" [2008-10-31 2342912]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-06 16262656]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\Milovan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Milovan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [22.5.2009 9:05 63232]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [22.5.2009 8:45 11264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25.6.2009 2:21 108289]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [22.5.2009 9:04 35712]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [22.5.2009 9:15 9446]
R4 WINFOXIO;WINFOXIO;c:\windows\system32\drivers\WINFOXIO.sys [22.5.2009 8:07 9600]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6.7.2009 17:31 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 15:31]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 15:31]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-839522115-1003Core.job
- c:\documents and settings\Milovan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-06 12:36]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-839522115-1003UA.job
- c:\documents and settings\Milovan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-06 12:36]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-csrcs - c:\windows\system32\csrcs.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {2ADFC642-0698-47D7-A4FC-52995C1CA721} = 192.168.100.252
FF - ProfilePath - c:\documents and settings\Milovan\Application Data\Mozilla\Firefox\Profiles\ygg8x9bw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Milovan\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Milovan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-07-10 17:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-10 17:04
ComboFix-quarantined-files.txt 2009-07-10 15:04

Pre-Run: 71.058.616.320 bytes free
Post-Run: 71.065.174.016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237 --- E O F --- 2009-06-28 18:10

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Restartuj PC, dvoklikom pokreni ComboFix i postavi svež log (svež = neki koji je napravljen nakon što sam ja napisao ovu poruku).

offline
  • Pridružio: 09 Jul 2009
  • Poruke: 21
  • Gde živiš: Kosjeric, Zapadna Srbija

Po preporuci, odra]en je restart, a potom i sceniranje ComboFix-om:

ComboFix 09-07-08.A0 - Milovan 07/10/2009 17:44.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1669 [GMT 2:00]
Running from: e:\02 software\01 Internet\Zastita\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 15:15 . 2009-07-10 15:16 -------- d-----w- c:\program files\MRSOFT
2009-07-10 13:54 . 2009-07-10 13:54 -------- d-----w- c:\program files\Trend Micro
2009-07-08 22:52 . 2009-07-08 22:52 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-08 22:37 . 2009-07-09 07:38 1863712 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-08 22:37 . 2009-07-09 07:38 12064 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-08 22:05 . 2009-07-10 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-08 21:50 . 2009-07-08 21:50 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-07-08 21:46 . 2009-07-09 07:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-08 21:46 . 2009-07-09 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-08 21:46 . 2009-07-08 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-07-08 21:45 . 2009-07-08 21:45 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Downloaded Installations
2009-07-08 21:42 . 2002-01-05 09:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-07-08 21:42 . 2002-01-05 03:40 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-07-08 21:42 . 2009-07-08 21:42 -------- d-----w- c:\program files\AML Products
2009-07-08 21:42 . 2002-01-05 04:48 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-07-06 15:36 . 2009-07-06 15:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-06 15:31 . 2009-07-06 15:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-07-06 15:31 . 2009-07-06 15:35 -------- d-----w- c:\program files\Google
2009-07-06 12:36 . 2009-07-06 15:35 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Temp
2009-07-06 12:36 . 2009-07-06 15:35 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Google
2009-06-28 19:25 . 2009-06-28 19:26 -------- d-----w- c:\program files\QuickTime
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Apple
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\program files\Apple Software Update
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-28 19:25 . 2009-06-28 19:25 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Apple Computer
2009-06-28 18:33 . 2009-06-28 18:33 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Microsoft Help
2009-06-28 18:33 . 2009-06-28 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-26 14:36 . 2009-06-26 14:36 -------- d-----w- c:\program files\MSXML 6.0
2009-06-26 14:32 . 2009-06-26 14:33 -------- d-----w- C:\3dsmax9Tutorials
2009-06-26 14:15 . 2009-06-26 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-06-26 14:09 . 2009-06-26 14:21 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Autodesk
2009-06-26 14:09 . 2009-06-26 14:18 -------- d-----w- c:\program files\Autodesk
2009-06-26 14:09 . 2009-06-26 14:18 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-06-26 14:04 . 2009-04-29 04:55 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-06-26 14:04 . 2009-04-29 04:55 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-06-26 14:04 . 2009-04-29 04:55 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-06-26 14:04 . 2009-04-29 04:55 383488 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-06-26 14:04 . 2009-04-29 04:55 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-06-26 14:04 . 2009-04-28 09:05 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-06-26 14:04 . 2008-07-09 14:25 2455488 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-26 14:04 . 2009-04-29 04:55 6066176 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-06-26 14:02 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-06-26 14:00 . 2009-06-26 14:01 -------- d-----w- C:\3dsmax9Trial
2009-06-26 01:30 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-06-26 01:30 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-06-26 01:28 . 2009-02-06 17:22 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-06-26 01:28 . 2009-02-06 17:24 2180480 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-26 01:28 . 2009-02-06 16:49 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-06-26 01:28 . 2009-02-06 16:49 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-06-26 01:16 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-25 23:06 . 2009-06-25 23:06 -------- d-----w- c:\program files\uTorrent
2009-06-25 23:06 . 2009-07-08 21:46 -------- d-----w- c:\documents and settings\Milovan\Application Data\uTorrent
2009-06-25 23:03 . 2009-06-28 18:10 -------- d--h--w- c:\windows\$hf_mig$
2009-06-25 17:54 . 2009-07-10 14:04 -------- d-----w- c:\documents and settings\Milovan\Application Data\skypePM
2009-06-25 17:54 . 2009-06-25 17:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-25 17:51 . 2009-07-10 15:14 -------- d-----w- c:\documents and settings\Milovan\Application Data\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----w- c:\program files\Common Files\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----r- c:\program files\Skype
2009-06-25 17:26 . 2009-06-25 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-25 00:53 . 2009-06-25 00:53 -------- d-----w- c:\program files\Foxit Software
2009-06-25 00:53 . 2009-06-25 00:53 -------- d-----w- c:\documents and settings\Milovan\Application Data\Foxit
2009-06-25 00:50 . 2009-06-25 17:56 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Adobe
2009-06-25 00:44 . 2009-06-25 00:44 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 00:44 . 2009-06-25 00:44 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Mozilla
2009-06-25 00:21 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-25 00:21 . 2009-03-24 14:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-25 00:21 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-25 00:21 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-25 00:20 . 2009-06-25 00:20 -------- d-----w- c:\program files\Avira
2009-06-25 00:20 . 2009-06-25 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-22 13:23 . 2009-06-22 13:23 239088 ----a-w- c:\documents and settings\Milovan\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-06-19 22:14 . 2009-06-19 22:14 -------- d-----w- c:\documents and settings\Milovan\Local Settings\Application Data\Macromedia
2009-06-19 22:07 . 2009-06-19 22:07 45056 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-06-19 22:07 . 2009-06-19 22:08 -------- d-----w- c:\program files\Macromedia
2009-06-19 22:07 . 2009-06-19 22:07 -------- d-----w- c:\program files\Common Files\Macromedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 07:38 . 2009-07-08 22:37 3200 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-09 07:38 . 2009-07-08 22:37 31256 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-08 21:46 . 2009-05-22 14:55 72568 ----a-w- c:\documents and settings\Milovan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 18:38 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft Works
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\program files\Rhinoceros 3.0
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\program files\Common Files\McNeel Shared
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\McNeel
2009-05-25 16:05 . 2009-05-25 15:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-25 16:02 . 2009-05-25 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-05-25 16:02 . 2009-05-25 16:02 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-05-24 23:44 . 2009-05-22 00:00 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-24 12:03 . 2009-05-22 23:23 -------- d-----w- c:\documents and settings\Milovan\Application Data\CyberLink
2009-05-22 16:06 . 2009-05-22 16:02 -------- d-----w- c:\program files\CyberLink DVD Solution
2009-05-22 16:06 . 2009-05-22 00:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-22 16:04 . 2009-05-22 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-05-22 16:04 . 2009-05-22 16:03 -------- d-----w- c:\program files\CyberLink
2009-05-22 15:59 . 2009-05-22 14:55 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-22 15:59 . 2009-05-22 14:55 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-05-22 15:57 . 2009-05-22 14:55 88 --sh--r- c:\documents and settings\All Users\Application Data\F5842AF8EC.sys
2009-05-22 15:57 . 2009-05-22 14:55 88 --sh--r- c:\documents and settings\All Users\Application Data\F5842AF8EC.sys
2009-05-22 14:55 . 2009-05-22 14:55 -------- d-----w- c:\documents and settings\Milovan\Application Data\Corel
2009-05-22 07:43 . 2009-05-22 07:43 -------- d-----w- c:\program files\Common Files\Protexis
2009-05-22 07:43 . 2009-05-22 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-05-22 07:41 . 2009-05-22 07:41 -------- d-----w- c:\program files\Common Files\Corel
2009-05-22 07:36 . 2009-05-22 07:36 -------- d-----w- c:\program files\Corel
2009-05-22 07:30 . 2009-05-22 07:30 -------- d-----w- c:\program files\CorelDRAW Graphics Suite X4
2009-05-22 07:27 . 2009-05-22 07:27 -------- d-----w- c:\documents and settings\Milovan\Application Data\Design Science
2009-05-22 07:27 . 2009-05-22 07:27 -------- d-----w- c:\program files\MathType
2009-05-22 07:23 . 2009-05-22 07:23 -------- d-----w- c:\program files\Common Files\L&H
2009-05-22 07:22 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft.NET
2009-05-22 07:22 . 2009-05-22 07:22 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-22 07:17 . 2009-05-22 07:17 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-05-22 07:15 . 2009-05-22 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-05-22 07:15 . 2009-05-22 07:15 -------- d-----w- c:\program files\WinFast
2009-05-22 07:09 . 2009-05-22 00:07 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-22 07:04 . 2009-05-22 07:04 -------- d-----w- c:\program files\Attansic
2009-05-22 06:55 . 2009-05-22 06:55 -------- d-----w- c:\program files\Realtek
2009-05-22 06:32 . 2009-05-22 06:08 -------- d-----w- c:\program files\NVIDIA Corporation
2009-05-22 06:32 . 2009-05-22 06:32 98477 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_A3D2A7B84B2B0FD79E5279.exe
2009-05-22 06:32 . 2009-05-22 06:32 98477 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_6FEFF9B68218417F98F549.exe
2009-05-22 06:32 . 2009-05-22 06:32 10134 ----a-r- c:\documents and settings\Milovan\Application Data\Microsoft\Installer\{CE5FAE47-2316-499E-8BAF-BFFF4940769E}\_42896BCF9DF5217C8262B0.exe
2009-05-22 06:32 . 2009-05-22 06:32 -------- d-----w- c:\program files\Folding@home
2009-05-22 06:32 . 2009-05-22 06:32 -------- d-----w- c:\documents and settings\Milovan\Application Data\Folding@home-gpu
2009-05-22 06:03 . 2009-05-22 06:03 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-22 06:02 . 2009-05-22 06:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-22 05:30 . 2009-05-21 23:58 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2009-05-22 00:08 . 2009-05-22 00:08 -------- d-----w- c:\program files\VIA
2009-05-22 00:08 . 2009-05-22 00:08 -------- d-----w- c:\program files\AMD
2009-05-22 00:02 . 2009-05-22 00:02 -------- d-----w- c:\program files\microsoft frontpage
2009-05-07 15:44 . 2004-08-03 22:56 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-03 22:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-03 22:56 78336 ------w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-03 21:17 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-03 22:56 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2004-03-11 11:27 . 2009-05-22 16:03 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"WinFoxV2"="c:\windows\system32\WF2K.EXE" [2008-10-31 2342912]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-09-06 16262656]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Documents and Settings\\Milovan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Milovan\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 mv614x;mv614x;c:\windows\system32\drivers\mv614x.sys [5/22/2009 9:05 63232]
R0 Shadow;Shadow; [x]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [5/22/2009 8:45 11264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/25/2009 2:21 108289]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [5/22/2009 9:04 35712]
R4 WINFOXIO;WINFOXIO;c:\windows\system32\drivers\WINFOXIO.sys [5/22/2009 8:07 9600]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2009 17:31 133104]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [5/22/2009 9:15 9446]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SHADOW
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 15:31]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 15:31]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-839522115-1003Core.job
- c:\documents and settings\Milovan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-06 12:36]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-1383384898-839522115-1003UA.job
- c:\documents and settings\Milovan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-06 12:36]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {2ADFC642-0698-47D7-A4FC-52995C1CA721} = 192.168.100.252
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-07-10 17:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3976)
c:\windows\system32\msi.dll
.
Completion time: 2009-07-10 17:47
ComboFix-quarantined-files.txt 2009-07-10 15:47

Pre-Run: 71.056.318.464 bytes free
Post-Run: 71.032.885.248 bytes free

220 --- E O F --- 2009-06-28 18:10

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Koristiš li ovaj softver: http://www.storagecraft.com/shadow_user.php


Arrow Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 09 Jul 2009
  • Poruke: 21
  • Gde živiš: Kosjeric, Zapadna Srbija

Napisano: 09 Jul 2009 19:42

dr_Bora ::Koristiš li ovaj softver: storagecraft.com/shadow_user.php
Ne, ali sam ga instalirao radi probe, a potom skinuo sa računara.

Dopuna: 09 Jul 2009 20:00

Urađeno po preporuci:
mycity.rs/must-login.png
mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ovde sada ne bi trebalo biti aktivnog malware-a. Stanje?

offline
  • Pridružio: 09 Jul 2009
  • Poruke: 21
  • Gde živiš: Kosjeric, Zapadna Srbija

Odlično, sistem je stabilan.
Nema ponavljanja starih problema.

Ko bude imao ovakav problem, neka prati prethodno napisanu proceduru i 100% će rešiti problem.

Uzdravlje.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.


To je sve...

Ko je trenutno na forumu
 

Ukupno su 984 korisnika na forumu :: 38 registrovanih, 6 sakrivenih i 940 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aramis s, BlekMen, Brana01, bufanje, Dukelander, FOX, Frunze, Georgius, ivan979, kairos, Karla, Kibice, kybonacci, ladro, laurusri, ljuba, Luka Blažević, M1los, manda87, Marko.anticc, menges, milenko crazy north, nemkea71, nenad81, opt1, pein, sasa87, sickmouse, solic, sombrero, Steeeefan, vathra, VJ, YU-UKI, YugoSlav, zdrebac, Čivi