Provera loga

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

HT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:13, on 18.12.2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\totalcmd\TC PowerPack\TOTALCMD.EXE
D:\Stef4n\za malware\Hijack This\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download video with Free Download Manager - [Link mogu videti samo ulogovani korisnici]\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - [Link mogu videti samo ulogovani korisnici]\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - [Link mogu videti samo ulogovani korisnici]\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - [Link mogu videti samo ulogovani korisnici]\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CS3\Services\Tcpip\..\{4F6198DD-FBC9-4ECF-9259-B28F52C27765}: NameServer = 85.255.113.130;85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130;85.255.112.64
O20 - Winlogon Notify: jqzaotzn - C:\WINDOWS\SYSTEM32\jqzaotzn.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6108 bytes

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


Imaš par ''finih'' infekcija ovde. Da pogledamo malo detaljnije šta se tu događa.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Konacno log,nisam bio tu par dana pa me izvinite za neozbiljnost:
---
ComboFix 08-12-23.01 - Stefan 2008-12-23 23:17:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.614 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
* Resident AV is active

.
ADS - svchost.exe: deleted 25088 bytes in 1 streams.
/wow section - STAGE 41


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ati7wcxx.sys
c:\windows\system32\drivers\msqpdxpqltoiqh.sys
c:\windows\system32\jqzaotzn.dll
c:\windows\system32\msqpdxorvdbrsr.dll
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com
F:\resycled
f:\resycled\boot.com
.
---- Previous Run -------
.
C:\Autorun.inf
c:\docume~1\Stefan\LOCALS~1\Temp\tmp2.tmp
c:\program files\Mozilla Firefox\components\iamfamous.dll
C:\resycled
c:\resycled\boot.com
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI7WCXX
-------\Legacy_FCI
-------\Legacy_ICF
-------\Service_ati7wcxx
-------\Service_FCI
-------\Service_ICF
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 22:29 . 2008-12-23 22:29 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-18 23:32 . 2008-12-18 23:33 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-16 22:42 . 2008-12-16 22:42 61,440 --a------ c:\windows\system32\drivers\htmsmm.sys
2008-12-16 21:09 . 2008-12-16 21:09 61,440 --a------ c:\windows\system32\drivers\ibsiwu.sys
2008-12-16 10:37 . 2008-12-16 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 10:37 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 10:37 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 19:34 . 2008-12-13 19:36 <DIR> d-------- c:\program files\FOX Video Converter
2008-12-10 22:16 . 2008-12-10 22:16 <DIR> d-------- c:\program files\Uniblue
2008-12-10 21:55 . 2008-12-10 21:55 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-10 21:55 . 2008-12-10 21:55 362,240 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-10 21:55 . 2008-11-12 16:44 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-10 21:54 . 2008-12-10 21:55 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-10 21:32 . 2008-12-10 21:32 2 --a------ C:\-1732176044
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\WinFlip
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\TrueTransparency
2008-12-10 20:40 . 2008-12-23 22:29 <DIR> d-------- c:\program files\Styler
2008-12-10 20:38 . 2008-12-10 20:38 76,214 --a------ c:\windows\Icon_2.ico
2008-12-06 19:44 . 2008-12-06 19:45 <DIR> d-------- c:\program files\Planplus
2008-12-05 11:44 . 2008-12-05 11:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Safer Networking
2008-12-05 11:43 . 2008-12-05 11:43 <DIR> d-------- c:\program files\Safer Networking
2008-12-02 11:01 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-02 11:00 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\gggen.sys
2008-11-30 16:42 . 2008-11-30 16:42 <DIR> d-------- c:\documents and settings\Stefan\Application Data\MSNInstaller
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-28 14:32 . 2008-11-28 14:32 <DIR> d-------- c:\program files\Windows Installer 4.5 SDK
2008-11-27 22:26 . 2008-11-27 22:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Styler
2008-11-27 22:23 . 2008-12-23 22:30 <DIR> d-------- c:\windows\system32\VITrans
2008-11-27 22:23 . 2008-12-11 21:35 <DIR> d-------- C:\VTPFiles
2008-11-27 22:23 . 2004-11-27 19:00 94,208 --a------ c:\windows\system32\pskill.exe
2008-11-27 22:23 . 2008-11-27 22:23 78,942 --a------ c:\windows\Icon_1.ico
2008-11-27 22:23 . 2006-12-03 17:15 69,632 --a------ c:\windows\system32\moveex.exe
2008-11-27 22:23 . 2006-12-03 17:14 8,636 --a------ c:\windows\system32\modifype.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 21:42 102 ----a-w c:\program files\scmn.txt
2008-12-16 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 19:47 --------- d-----w c:\documents and settings\Stefan\Application Data\Free Download Manager
2008-12-13 18:35 81,920 ----a-w c:\documents and settings\Stefan\Application Data\ezpinst.exe
2008-12-13 18:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-13 18:35 47,360 ----a-w c:\documents and settings\Stefan\Application Data\pcouffin.sys
2008-12-13 18:35 --------- d-----w c:\documents and settings\Stefan\Application Data\Vso
2008-12-10 21:17 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-05 18:35 --------- d-----w c:\program files\Sony Ericsson
2008-11-30 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-26 13:59 --------- d-----w c:\documents and settings\Stefan\Application Data\mIRC
2008-11-26 13:58 --------- d-----w c:\program files\mIRC
2008-11-25 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 20:44 --------- d-----w c:\program files\MSN Messenger
2008-11-16 18:57 --------- d-----w c:\program files\Alcohol Soft
2008-11-15 18:08 --------- d-----w c:\program files\YouTube Downloader
2008-11-14 20:15 --------- d-----w c:\documents and settings\Stefan\Application Data\Teleca
2008-11-13 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 12:02 --------- d-----w c:\program files\iPassion
2008-11-12 12:01 --------- d-----w c:\documents and settings\Stefan\Application Data\InstallShield
2008-11-12 12:00 --------- d-----w c:\program files\MSI
2008-11-10 20:02 --------- d-----w c:\documents and settings\Stefan\Application Data\Sony Ericsson
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 20:58 --------- d-----w c:\documents and settings\Stefan\Application Data\Thunderbird
2008-11-08 20:57 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-04 19:46 --------- d-----w c:\documents and settings\Stefan\Application Data\Thinstall
2008-11-04 19:39 287,976 ----a-w C:\cc_20081104_203843.reg
2008-11-01 12:09 --------- d-----w c:\program files\The Weather Channel FW
2008-10-28 21:42 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 21:40 --------- d-----w c:\program files\HotPotatoes6
2008-10-28 21:39 --------- d-----w c:\program files\RapidTyping
2008-10-27 10:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-10-23 08:52 --------- d-----w c:\documents and settings\Stefan\Application Data\Uniblue
2008-08-04 12:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-21 12:45 250,544 ----a-w c:\program files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-10-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 c:\windows\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 c:\windows\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 c:\windows\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-14 45848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-10 603904]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-23 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys []
S3 DCamUSBTP10;StarCam mini+;c:\windows\system32\Drivers\iP293x.sys [2008-11-12 241920]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\DRIVERS\gggen.sys [2008-12-02 11648]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-16 38528]
S4 LMIRfsClientNP;LMIRfsClientNP; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com l:
\Shell\Open\command - l:\resycled\boot.com l:
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2008-12-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
FF - ProfilePath - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-23 23:22:07
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308-)
c:\windows\system32\athgina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-12-23 23:24:44 - machine was rebooted [Stefan]
ComboFix-quarantined-files.txt 2008-12-23 22:24:41
ComboFix2.txt 2008-11-25 13:28:23
ComboFix3.txt 2008-11-24 20:29:55
ComboFix4.txt 2008-10-05 11:21:57

Pre-Run: 19,311,116,288 bytes free
Post-Run: 19,299,098,624 bytes free

301 --- E O F --- 2008-11-17 17:32:29

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.




Pitanje: imaš li USB flash drive (tj. bilo šta što se ponaša kao USB memorija; flash drive, mp3 player, telefon, eksterni HDD...)?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-12-23.01 - Stefan 2008-12-24 18:03:37.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.460 [GMT 1:00]
Running from: c:\documents and settings\Stefan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stefan\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys
.
/wow section - STAGE 41


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\htmsmm.sys
c:\windows\system32\drivers\ibsiwu.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-23 22:29 . 2008-12-23 22:29 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-18 23:32 . 2008-12-18 23:33 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-16 10:37 . 2008-12-16 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 10:37 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 10:37 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 19:34 . 2008-12-13 19:36 <DIR> d-------- c:\program files\FOX Video Converter
2008-12-10 22:16 . 2008-12-10 22:16 <DIR> d-------- c:\program files\Uniblue
2008-12-10 21:55 . 2008-12-10 21:55 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-12-10 21:55 . 2008-12-10 21:55 362,240 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-12-10 21:55 . 2008-11-12 16:44 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-12-10 21:54 . 2008-12-10 21:55 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-12-10 21:32 . 2008-12-10 21:32 2 --a------ C:\-1732176044
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\WinFlip
2008-12-10 20:40 . 2008-12-10 20:40 <DIR> d-------- c:\program files\TrueTransparency
2008-12-10 20:40 . 2008-12-23 22:29 <DIR> d-------- c:\program files\Styler
2008-12-10 20:38 . 2008-12-10 20:38 76,214 --a------ c:\windows\Icon_2.ico
2008-12-06 19:44 . 2008-12-06 19:45 <DIR> d-------- c:\program files\Planplus
2008-12-05 11:44 . 2008-12-05 11:44 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Safer Networking
2008-12-05 11:43 . 2008-12-05 11:43 <DIR> d-------- c:\program files\Safer Networking
2008-12-02 11:01 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-02 11:00 . 2006-09-28 13:10 11,648 --a------ c:\windows\system32\drivers\gggen.sys
2008-11-30 16:42 . 2008-11-30 16:42 <DIR> d-------- c:\documents and settings\Stefan\Application Data\MSNInstaller
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-28 14:37 . 2008-11-28 14:37 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-28 14:32 . 2008-11-28 14:32 <DIR> d-------- c:\program files\Windows Installer 4.5 SDK
2008-11-27 22:26 . 2008-11-27 22:26 <DIR> d-------- c:\documents and settings\Stefan\Application Data\Styler
2008-11-27 22:23 . 2008-12-23 22:30 <DIR> d-------- c:\windows\system32\VITrans
2008-11-27 22:23 . 2008-12-11 21:35 <DIR> d-------- C:\VTPFiles
2008-11-27 22:23 . 2004-11-27 19:00 94,208 --a------ c:\windows\system32\pskill.exe
2008-11-27 22:23 . 2008-11-27 22:23 78,942 --a------ c:\windows\Icon_1.ico
2008-11-27 22:23 . 2006-12-03 17:15 69,632 --a------ c:\windows\system32\moveex.exe
2008-11-27 22:23 . 2006-12-03 17:14 8,636 --a------ c:\windows\system32\modifype.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 21:42 102 ----a-w c:\program files\scmn.txt
2008-12-16 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 19:47 --------- d-----w c:\documents and settings\Stefan\Application Data\Free Download Manager
2008-12-13 18:35 81,920 ----a-w c:\documents and settings\Stefan\Application Data\ezpinst.exe
2008-12-13 18:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-13 18:35 47,360 ----a-w c:\documents and settings\Stefan\Application Data\pcouffin.sys
2008-12-13 18:35 --------- d-----w c:\documents and settings\Stefan\Application Data\Vso
2008-12-10 21:17 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-05 18:35 --------- d-----w c:\program files\Sony Ericsson
2008-11-30 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-11-26 13:59 --------- d-----w c:\documents and settings\Stefan\Application Data\mIRC
2008-11-26 13:58 --------- d-----w c:\program files\mIRC
2008-11-25 20:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 20:44 --------- d-----w c:\program files\MSN Messenger
2008-11-16 18:57 --------- d-----w c:\program files\Alcohol Soft
2008-11-15 18:08 --------- d-----w c:\program files\YouTube Downloader
2008-11-14 20:15 --------- d-----w c:\documents and settings\Stefan\Application Data\Teleca
2008-11-13 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-12 12:02 --------- d-----w c:\program files\iPassion
2008-11-12 12:01 --------- d-----w c:\documents and settings\Stefan\Application Data\InstallShield
2008-11-12 12:00 --------- d-----w c:\program files\MSI
2008-11-10 20:02 --------- d-----w c:\documents and settings\Stefan\Application Data\Sony Ericsson
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-11-10 19:57 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Teleca
2008-11-10 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-11-08 20:58 --------- d-----w c:\documents and settings\Stefan\Application Data\Thunderbird
2008-11-08 20:57 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-04 19:46 --------- d-----w c:\documents and settings\Stefan\Application Data\Thinstall
2008-11-04 19:39 287,976 ----a-w C:\cc_20081104_203843.reg
2008-11-01 12:09 --------- d-----w c:\program files\The Weather Channel FW
2008-10-28 21:42 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 21:40 --------- d-----w c:\program files\HotPotatoes6
2008-10-28 21:39 --------- d-----w c:\program files\RapidTyping
2008-10-27 10:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-26 15:31 --------- d-----w c:\documents and settings\Stefan\Application Data\skypePM
2008-10-26 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-08-04 12:42 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2003-03-21 12:45 250,544 ----a-w c:\program files\Common Files\keyhelp.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-10-31 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"msacm.divxa32"= DivXa32.acm
"vidc.asv2"= asusasv2.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= APmpg4v1.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.rud0"= rududu.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.sony"= sonydv.dll
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.vssv"= vsscodec.dll
"vidc.pim1"= pclepim1.dll
"vidc.advs"= Dvc.dll
"vidc.asv1"= asusasv1.dll
"vidc.aflc"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"vidc.cscd"= camcodec.dll
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= EtxCodec.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.frwu"= frwu.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"vidc.hfyu"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-10-31 00:32 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-08 23:00 128920 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2008-09-09 14:06 2465839 c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-09 14:06 133104 c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iPPCamScan]
--a------ 2008-01-23 18:41 86016 c:\windows\iPScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray2K]
--a------ 2003-03-25 04:49 57344 c:\windows\system32\mmtray2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTrayLSI]
--a------ 2003-03-25 04:49 53248 c:\windows\system32\mmtraylsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2006-11-24 01:06 487424 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
-ra------ 2006-06-29 06:32 89541 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-11-30 11:42 16858624 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2003-03-25 04:49 106544 c:\windows\system32\tweakui.cpl

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-14 45848]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-10 603904]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\DRIVERS\RMSPPPOE.SYS [2002-06-09 31232]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [2008-09-23 57024]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys []
S3 DCamUSBTP10;StarCam mini+;c:\windows\system32\Drivers\iP293x.sys [2008-11-12 241920]
S3 gggen;Generic USB Flash Driver;c:\windows\system32\DRIVERS\gggen.sys [2008-12-02 11648]
S3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;"c:\program files\MSN Messenger\usnsvc.exe" [2007-01-19 97136]
S4 LMIRfsClientNP;LMIRfsClientNP; []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98fbfdef-51f7-11dd-b7bc-0015af99d8cd}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com m:
\Shell\Open\command - m:\resycled\boot.com m:
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2008-12-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Stefan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-09 14:06]
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
FF - ProfilePath - c:\documents and settings\Stefan\Application Data\Mozilla\Firefox\Profiles\6797vdyr.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - [Link mogu videti samo ulogovani korisnici]
FF - prefs.js: keyword.URL - [Link mogu videti samo ulogovani korisnici]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-24 18:07:26
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASPI32]
"ImagePath"="hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,73,00,70,00,69,00,33,00,32,00,2e,00,73,00,79,00,73,00,00,00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\athgina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
.
**************************************************************************
.
Completion time: 2008-12-24 18:10:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 17:10:02
ComboFix2.txt 2008-12-23 22:24:45
ComboFix3.txt 2008-11-25 13:28:23
ComboFix4.txt 2008-11-24 20:29:55
ComboFix5.txt 2008-12-24 17:02:59

Pre-Run: 19.320.987.648 bytes free
Post-Run: 19,305,324,544 bytes free

279 --- E O F --- 2008-11-17 17:32:29


---
Od USB uredjaja imam:USB Flash Drive,Telefon + memorijska,Web kamera,skener,USB Miš.To je sve.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U međuvremenu, između ova dva skeniranja si priključivao neki inficirani drive. Hajde da i to sredimo... Od značaja su nam samo telefon i flash drive, ostalo ne.



Skini sledeci program - [Link mogu videti samo ulogovani korisnici]
- startuj ga i odaberi opciju Auto block
- ubaci USB stick u komp i sacekaj koji sekund (recimo 5-10 sekundi)
- program je sada uradio analizu sticka (vidi se u donjem delu programa, u logu)
- gore levo klikni duplo na slovo koje oznacava particiju, tj. tvoj USB stick
- dole kraj sata ce se pojaviti poruka da smes da izvadis USB stick iz kompa
- ne gasi program, vec ubaci sledeci USB stick i za njega isto sacekaj par sekundi, i tako redom za sve stickove, MP3 plejere, mobilni
- zapamti kojim redom su ubacivani stickovi

Kada sve to zavrsis, log u donjem delu programa ce sadrzati sve podatke koji su meni potrebni da bih video koji stick je zarazen.
Klikni desnim dugmetom misa na log/izvestaj i odaberi Save log.
Automatski ce se otvoriti Notepad i u njemu izvestaj.
Iskopiraj mi taj izvestaj ovde na forum.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

USB_blocker by bobby

Started at 25.12.2008 13:09:33

Scanning for connected USB Mass storage...
========================================
========================================
Scanning for other storage...
========================================
C: 279bcd1c-51f4-11dd-b1a4-806d6172696f
D: 279bcd1d-51f4-11dd-b1a4-806d6172696f
E: 279bcd1e-51f4-11dd-b1a4-806d6172696f
F: 279bcd1f-51f4-11dd-b1a4-806d6172696f
========================================

Scanning fixed storage for autorun.inf files...
========================================
========================================



New device connected at 25.12.2008 13:10:12

Scanning for connected USB Mass storage...
========================================
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
========================================


New device connected at 25.12.2008 13:10:13

Scanning for connected USB Mass storage...
========================================
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================
Sanitizing Shell Menu...
========================================


New device connected at 25.12.2008 13:12:04

Scanning for connected USB Mass storage...
========================================
J: 98fbfdee-51f7-11dd-b7bc-0015af99d8cd
M: 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
L: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================

Scanning USB mass storage for autorun.inf and desktop.ini files...
========================================

autorun.inf found on M:
File M:\autorun.inf renamed successfully
Sanitizing Shell Menu...
No key for GUID: 98fbfdee-51f7-11dd-b7bc-0015af99d8cd
Sanitized 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
No key for GUID: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd
========================================
M: 98fbfdef-51f7-11dd-b7bc-0015af99d8cd
L: b3dfb0b2-51ba-11dd-b7b3-0015af99d8cd

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ponovo priključi uređaj koji si poslednji priključivao.

Na njemu se nalazi file autorun.inf.blocked - otvori ga u Notepad-u i iskopiraj sadržaj u iduću poruku.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

[autorun]
;wsogcjvvkbzkjtaeeofedejhbqusshfuvfyfdbahzcahionjjuseiaushpzjak
shellexecute="resycled\boot.com l:"
;wpdcjbubghbpwtagvzszosgoqxqgrwstgkygcjbdomitlsjplojpcxmyhpycmrkqmnrrduhebsnnzhpqprfldprjp
shell\Open\command="resycled\boot.com l:"
;ekfqzd

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sa tog drive-a obriši folder pod nazivom resycled.

Ukoliko ga ne vidiš, aktiviraj prikaz skrivenih file-ova:
[Link mogu videti samo ulogovani korisnici]


Zatim upakuj u zip/rar kompletan folder: C:\qoobox\quarantine i upload-uj ga preko sledećeg linka:
[Link mogu videti samo ulogovani korisnici]


Javi kada si to odradio i reci mi kakvo je sada stanje.