Problemi sa wirtumonde i win32.monder.gen

1

Problemi sa wirtumonde i win32.monder.gen

offline
  • Pridružio: 05 Jun 2008
  • Poruke: 13
  • Gde živiš: NS

Cao,imam, komp relativno malo,i ovo mi je prva veca nevolja sa virusima. Naime,vec nedelju dana mi KIS 7 detektuje razne trojance i viruse, a vecinu ne moze da "disinficira", vec samo pomaze delete i onda ih stavi u Back-up, gde pise infected... Uglavnom,da ne duzim, uradio sam sve kako pise u uputstvu, i evo rezultata hijacka... E da,da napomenem jos i ovo,u proteklih 5-6 dana sam pokusavao da izlecim komp svim i svacim, tipa Spybot, AdAware,ComboFix, PandaLiveScan...Nista nije pomoglo,pa ako znate neko resenje,pomagajte, dok nije kasno Very Happy Pozdrav i hvala unapred


Logfile of HijackThis v1.99.1
Scan saved at 00:23:45, on 5.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ApexDC++_Gusari_XY6\ApexDC.exe
C:\Program Files\Java\jre1.6.0_05\bin\javaw.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Milenko Todoreskov\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\tuvWonom.dll
O2 - BHO: (no name) - {22329174-57D6-4BCE-9F42-E9ECB3C7D860} - (no file)
O2 - BHO: (no name) - {32F785DA-507D-44B7-9B9D-02F188CFE1C1} - (no file)
O2 - BHO: (no name) - {38A2FFD5-54EE-403B-A9F9-184E218758FB} - (no file)
O2 - BHO: (no name) - {4F0C747C-1D30-4837-B846-DED3EDAB0916} - C:\WINDOWS\system32\tuvULExY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F866AD4-3B26-4114-A0FB-41E783473BBF} - C:\WINDOWS\system32\tuvTmJab.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E3BC7E81-1F22-4DB5-A79A-AA49074B1B8A} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Milenko Todoreskov\Desktop\setup_sbd_en.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B488A647-8894-41FC-BFB3-CC4A7D141155}: NameServer = 82.117.194.2,82.117.194.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: tuvWonom - C:\WINDOWS\SYSTEM32\tuvWonom.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...



Arrow Potrebno je privremeno isključiti zaštitni softver:

Spybot S&D's Teatimer

Pokrenite Spybot S&D
Kliknite Mode stavku u meniju
Odaberite Advance Mode
Na traci levo kliknite na Tools
Kliknite na Resident
Destiklirajte Resident Tea-Timer
Zatvorite Spybot S&D
Restartujte kompjuter.

Nemojte zaboraviti da ponovo ukljucite ove opcije kada zavrsimo ciscenje.


KIS:

* Klikni desnim tasterom na Kaspersky ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Pause Protection.
* U prozoru koji se otvori, izaberi By User Request.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


-------------------------------------------------------------------------------------



Arrow Preuzmi instalaciju za program Malwarebytes Anti-Malware sa sledećeg linka:
http://www.besttechie.net/tools/mbam-setup.exe

Dvoklikom pokreni instalaciju - na samom kraju procesa, proveri da su obeležene opcije:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes Anti-Malware
* Zatim klikni Finish.

Nakon završenog ažuriranja program će se pokrenuti.
Izaberi opciju Perform Quick Scan i klikni Scan.
Po završetku procesa klikni OK, Show Results: u listi detektovanog malware-a, obeleži sve stavke i klikni Remove Selected.

Po završetku procesa, logfile će se otvoriti u Notepad-u; iskopiraj ga u temu na forumu.
Ukoliko dođe do restarta na kraju procesa čišćenja, logfile će biti dostupan na Logs kartici (obeleži ga i klikni Open).


Nakon svega, postavi i svež HijackThis logfile.

offline
  • Pridružio: 05 Jun 2008
  • Poruke: 13
  • Gde živiš: NS

Malwarebytes' Anti-Malware 1.14
Database version: 827

19:57:52 5.6.2008
mbam-log-6-5-2008 (19-57-52).txt

Scan type: Quick Scan
Objects scanned: 39567
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tuvWonom.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRIcBtU.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvwonom (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SystemErrorFixerDownloader (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1c0e4db5-d995-4a0f-94e0-52b6c355c4c8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1c0e4db5-d995-4a0f-94e0-52b6c355c4c8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMef7826a9 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqricbtu -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\tuvWonom.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efcyVOiJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ekvsyrpo.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fcwmyhyy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fljymvkw.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kivllktj.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nrvfkmar.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sxtyolci.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuqvkncm.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ymenjjgv.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\18HTF1D3\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\18HTF1D3\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\ARGRHEVI\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\C9QRC56B\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\CDIR89A7\CA6BGH6B (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\CDIR89A7\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\CDIR89A7\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\ODE7KPUJ\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\OT2Z8LMZ\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Milenko Todoreskov\Local Settings\Temporary Internet Files\Content.IE5\RVPX9L16\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinSys2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgrfpxvl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\rqRIcBtU.dll (Trojan.Vundo) -> Delete on reboot.








Logfile of HijackThis v1.99.1
Scan saved at 20:02:55, on 5.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Milenko Todoreskov\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2055B622-162B-438A-B570-62BAE95827DA} - (no file)
O2 - BHO: (no name) - {4F0C747C-1D30-4837-B846-DED3EDAB0916} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6F866AD4-3B26-4114-A0FB-41E783473BBF} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C3CA5FCB-E7D9-40ED-9304-3614725BE09F} - C:\WINDOWS\system32\iiffCSkh.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll,
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe



eto,to je to,ali moram jos da napomenem da danas i u proteklih par dana neke strane nisu htele da mi se otvore ni u firefoxu ni u exploreru, a i sad sam pola sata otvarao ovaj sajt i jedva ga otvorio. Poz

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Da li je kompjuter restartovan nakon skeniranja programom MBAM?

Ako nije, obavezno ga restartuj pre nastavka...




Arrow Pokreni HijackThis, skeniraj i čekiraj sledeće linije:

O2 - BHO: (no name) - {2055B622-162B-438A-B570-62BAE95827DA} - (no file)
O2 - BHO: (no name) - {4F0C747C-1D30-4837-B846-DED3EDAB0916} - (no file)
O2 - BHO: (no name) - {6F866AD4-3B26-4114-A0FB-41E783473BBF} - (no file)
O2 - BHO: (no name) - {C3CA5FCB-E7D9-40ED-9304-3614725BE09F} - C:\WINDOWS\system32\iiffCSkh.dll (file missing)

Klikni Fix checked.



-------------------------------------------------------------------------------------



Arrow Ukoliko već imaš program ComboFix, obriši ga i preuzmi najnoviju verziju.

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 05 Jun 2008
  • Poruke: 13
  • Gde živiš: NS

Restartovao se,uradio sam u hijack sta je trebalo,i skinuo na desktop combofix sa prve adrese,ali kada je pokrenuo pisalo je da je corrupted i da preuzmem noviju verziju, e sad,zanima me da li da odmah probam sa druge dve adrese ili?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Možeš da probaš sa nekog drugog linka i to na sledeći način.

Klikni desnim tasterom na neki od datih linkova i izaberi opciju Save as (Save target as ili sličnu) - kada se otvori Save dijalog, snimi file kao TR3.exe (znači, preimenuj ga pri samom download-u).

offline
  • Pridružio: 05 Jun 2008
  • Poruke: 13
  • Gde živiš: NS

ComboFix 08-06-05.3 - Milenko Todoreskov 2008-06-05 21:00:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.1600 [GMT 2:00]
Running from: C:\Documents and Settings\Milenko Todoreskov\Desktop\TR3.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMef7826a9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\baJmTvut.ini
C:\WINDOWS\system32\baJmTvut.ini2
C:\WINDOWS\system32\cqctyrtg.ini
C:\WINDOWS\system32\hkSCffii.ini
C:\WINDOWS\system32\hkSCffii.ini2
C:\WINDOWS\system32\hstdmrug.ini
C:\WINDOWS\system32\jStDKkkj.ini
C:\WINDOWS\system32\jStDKkkj.ini2
C:\WINDOWS\system32\niqmotup.ini
C:\WINDOWS\system32\qxjhgqnm.ini
C:\WINDOWS\system32\sotigkbe.ini
C:\WINDOWS\system32\tkshdqno.ini2
C:\WINDOWS\system32\tkshdqno.tmp
C:\WINDOWS\system32\tuvWonom.dll
C:\WINDOWS\system32\UtBcIRqr.ini
C:\WINDOWS\system32\UtBcIRqr.ini2
C:\WINDOWS\system32\VCegMnnn.ini
C:\WINDOWS\system32\VCegMnnn.ini2
C:\WINDOWS\system32\VuDLmnpo.ini
C:\WINDOWS\system32\VuDLmnpo.ini2
C:\WINDOWS\system32\waaacMoq.ini
C:\WINDOWS\system32\waaacMoq.ini2
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\ydrqbfnb.ini
C:\WINDOWS\system32\YxELUvut.ini
C:\WINDOWS\system32\YxELUvut.ini2
C:\WINDOWS\system32\yyhymwcf.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Documents and Settings\Milenko Todoreskov\Application Data\Malwarebytes
2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 19:51 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 19:51 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 17:16 . 2008-06-05 17:16 147,456 --a------ C:\WINDOWS\system32\putomqin.dll
2008-06-05 16:48 . 2008-06-05 19:57 156,160 --------- C:\WINDOWS\system32\fgrfpxvl.dll
2008-06-05 16:47 . 2008-06-05 19:57 604,160 --------- C:\WINDOWS\system32\rqRIcBtU.dll
2008-06-05 15:12 . 2008-06-05 15:12 147,456 --a------ C:\WINDOWS\system32\gurmdtsh.dll
2008-06-05 15:10 . 2008-06-05 15:10 156,160 --a------ C:\WINDOWS\system32\phvrweaq.dll
2008-06-04 22:17 . 2008-06-04 22:17 <DIR> d-------- C:\ComboFix
2008-06-04 18:05 . 2008-06-04 18:08 <DIR> d-------- C:\Program Files\Panda Security
2008-06-04 14:30 . 2008-06-04 14:31 <DIR> d-------- C:\Program Files\SaljiPoruke-desktop
2008-06-03 16:12 . 2008-06-04 14:09 <DIR> d-------- C:\Documents and Settings\Milenko Todoreskov\Application Data\Lavasoft
2008-06-03 15:52 . 2008-06-03 15:52 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-30 16:38 . 2004-08-04 03:07 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-05-30 16:38 . 2004-08-04 03:07 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-30 16:36 . 2008-05-30 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-30 12:46 . 2008-06-05 16:36 1,249 --a------ C:\WINDOWS\wininit.ini
2008-05-30 11:56 . 2008-05-30 11:56 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-30 11:44 . 2008-05-30 11:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 11:44 . 2008-05-30 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 17:21 . 2008-05-29 18:12 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 17:21 . 2008-05-29 20:17 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 17:20 . 2008-06-05 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 17:20 . 2008-06-05 21:04 6,920,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 17:20 . 2008-06-05 21:03 96,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-29 17:20 . 2008-06-05 21:03 94,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 17:20 . 2008-06-05 21:03 10,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-26 18:48 . 2008-06-04 17:19 <DIR> d-------- C:\Program Files\eMule
2008-05-23 12:34 . 2008-05-23 12:34 <DIR> d-------- C:\Program Files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 15:11 --------- d-----w C:\Documents and Settings\Milenko Todoreskov\Application Data\uTorrent
2008-06-03 14:35 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-03 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-05-29 18:42 --------- d-----w C:\Program Files\Last.fm
2008-05-29 16:12 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-29 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-29 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-29 14:50 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-23 10:33 --------- d-----w C:\Program Files\Java
2008-04-18 12:33 --------- d-----w C:\Documents and Settings\Milenko Todoreskov\Application Data\EbkReader
2008-02-27 19:35 2,403,987 ----a-w C:\Program Files\BORGChat.bin.zip
2008-02-26 17:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:07 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 03:52 2595480]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 15:43 7630848]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2006-10-17 03:20 398944]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:07 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Milenko Todoreskov\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\BORGChat.bin\\BORGChat.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\ApexDC++_Gusari_XY6\\ApexDC.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-11-24 01:22]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-12-03 15:54]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 17:12]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 05:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:07]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 13:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44463082-1e76-11dd-a178-001d602bf5b0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de351cda-9aef-11dc-aee5-b4d23b639bb2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7839b97-a8fe-11dc-af19-001d602bf5b0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 15:20:53 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-05 21:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-05 21:06:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 19:06:27

Pre-Run: 8,075,223,040 bytes free
Post-Run: 8,135,438,336 bytes free

189


evo ga

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\putomqin.dll
C:\WINDOWS\system32\fgrfpxvl.dll
C:\WINDOWS\system32\rqRIcBtU.dll
C:\WINDOWS\system32\gurmdtsh.dll
C:\WINDOWS\system32\phvrweaq.dll

Folder::
C:\Documents and Settings\All Users\Application Data\SalesMon

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44463082-1e76-11dd-a178-001d602bf5b0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de351cda-9aef-11dc-aee5-b4d23b639bb2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7839b97-a8fe-11dc-af19-001d602bf5b0}]




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 05 Jun 2008
  • Poruke: 13
  • Gde živiš: NS

ComboFix 08-06-05.3 - Milenko Todoreskov 2008-06-05 21:36:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.381.1033.18.1599 [GMT 2:00]
Running from: C:\Documents and Settings\Milenko Todoreskov\Desktop\TR3.exe
Command switches used :: C:\Documents and Settings\Milenko Todoreskov\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\fgrfpxvl.dll
C:\WINDOWS\system32\gurmdtsh.dll
C:\WINDOWS\system32\phvrweaq.dll
C:\WINDOWS\system32\putomqin.dll
C:\WINDOWS\system32\rqRIcBtU.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\system32\fgrfpxvl.dll
C:\WINDOWS\system32\gurmdtsh.dll
C:\WINDOWS\system32\phvrweaq.dll
C:\WINDOWS\system32\putomqin.dll
C:\WINDOWS\system32\rqRIcBtU.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Documents and Settings\Milenko Todoreskov\Application Data\Malwarebytes
2008-06-05 19:51 . 2008-06-05 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 19:51 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 19:51 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 22:17 . 2008-06-04 22:17 <DIR> d-------- C:\ComboFix
2008-06-04 18:05 . 2008-06-04 18:08 <DIR> d-------- C:\Program Files\Panda Security
2008-06-04 14:30 . 2008-06-04 14:31 <DIR> d-------- C:\Program Files\SaljiPoruke-desktop
2008-06-03 16:12 . 2008-06-04 14:09 <DIR> d-------- C:\Documents and Settings\Milenko Todoreskov\Application Data\Lavasoft
2008-06-03 15:52 . 2008-06-03 15:52 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-05-30 16:38 . 2004-08-04 03:07 68,608 --a------ C:\WINDOWS\system32\plugin.ocx
2008-05-30 16:38 . 2004-08-04 03:07 68,608 --a------ C:\WINDOWS\system32\dllcache\plugin.ocx
2008-05-30 16:36 . 2008-05-30 16:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-30 12:46 . 2008-06-05 16:36 1,249 --a------ C:\WINDOWS\wininit.ini
2008-05-30 11:44 . 2008-05-30 11:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 11:44 . 2008-05-30 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 17:21 . 2008-05-29 18:12 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-29 17:21 . 2008-05-29 20:17 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-29 17:20 . 2008-06-05 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 17:20 . 2008-06-05 21:37 6,951,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 17:20 . 2008-06-05 21:03 96,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-29 17:20 . 2008-06-05 21:37 96,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 17:20 . 2008-06-05 21:03 10,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-26 18:48 . 2008-06-04 17:19 <DIR> d-------- C:\Program Files\eMule
2008-05-23 12:34 . 2008-05-23 12:34 <DIR> d-------- C:\Program Files\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 15:11 --------- d-----w C:\Documents and Settings\Milenko Todoreskov\Application Data\uTorrent
2008-06-03 14:35 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-03 12:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-05-29 18:42 --------- d-----w C:\Program Files\Last.fm
2008-05-29 16:12 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-29 15:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-29 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-29 14:50 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-23 10:33 --------- d-----w C:\Program Files\Java
2008-04-18 12:33 --------- d-----w C:\Documents and Settings\Milenko Todoreskov\Application Data\EbkReader
2008-02-27 19:35 2,403,987 ----a-w C:\Program Files\BORGChat.bin.zip
2008-02-26 17:01 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:07 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 03:52 2595480]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 15:43 7630848]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2006-10-17 03:20 398944]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:07 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Documents and Settings\\Milenko Todoreskov\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\BORGChat.bin\\BORGChat.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\ApexDC++_Gusari_XY6\\ApexDC.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-11-24 01:22]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-12-03 15:54]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 17:12]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 05:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 03:07]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 13:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 15:20:53 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-05 21:37:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-05 21:39:06
ComboFix-quarantined-files.txt 2008-06-05 19:39:04
ComboFix2.txt 2008-06-05 19:06:35

Pre-Run: 8,116,146,176 bytes free
Post-Run: 8,107,474,944 bytes free

148

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upakuj u jedan zip/rar kompletan sledeći folder:

C:\QooBox\Quarantine


Uploaduj taj zip/rar preko sledećeg linka: http://www.mycity.rs/ambulanta-upload.php


Javi kada si odradio upload...

Ko je trenutno na forumu
 

Ukupno su 373 korisnika na forumu :: 13 registrovanih, 0 sakrivenih i 360 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., ALBION101, arzak, hyla, indja, Konda, Koridor, Nobunaga, shaja1, Van, Vlajman1957, Vule, W123