Šta je ovo tnuwq32vpmmr.exe.exe.exe.exe.exe

1

Šta je ovo tnuwq32vpmmr.exe.exe.exe.exe.exe

offline
  • Pridružio: 14 Sep 2008
  • Poruke: 424
  • Gde živiš: Podgorica

Dobro veče svima
Unaprijed se izvinjavam ako sam pogriješio sekciju Embarassed

Naime u kompjuteru sam našao ovo
tnuwq32vpmmr.exe.exe.exe.exe.exe bilo je na particiji c odmah pored Documents and Settings, Program files i Windows
Obrisao sam ga standardno desni klik pa delete ali prilikom skeniranja sa Hijack pronašao sam i ovo
F2 - REG:system.ini:UserInt=C:/WINDOWS/system32/userint.exe,C/WIDOWS/sorry.exe,

Može li neko da mi pomogne
Hvala Ziveli

offline
  • Pridružio: 12 Jan 2004
  • Poruke: 9661
  • Gde živiš: Čačak

Obrati paznju kako se otvara tema u ambulanti:
http://www.mycity.rs/Ambulanta/Kako-otvoriti-temu-u-Ambulanti.html

offline
  • Pridružio: 14 Sep 2008
  • Poruke: 424
  • Gde živiš: Podgorica

Ja se izvinjavam nije namjerno

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:39, on 20.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Memturbo 4\MemTurbo.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Microsoft - {B3B32131-5331-1267-9353-002031030200} - C:\WINDOWS\search_promo.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Program Files\Memturbo 4\MemTurbo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{25C65EA4-5DEC-467C-9414-7FC17653EF49}: NameServer = 195.66.160.1,195.66.160.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5984 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Upload-uj sledeći file: C:\WINDOWS\search_promo.dll

Upload link: http://www.mycity.rs/ambulanta-upload.php

Ukoliko file nije vidljiv, aktiviraj prikaz skrivenih file-ova:
http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html

offline
  • Pridružio: 14 Sep 2008
  • Poruke: 424
  • Gde živiš: Podgorica

Evo ga
Hvala na pomoći

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 14 Sep 2008
  • Poruke: 424
  • Gde živiš: Podgorica

Evo nadam se da sam dobro odradio

ComboFix 08-12-18.03 - JIB 2008-12-20 11:39:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1023.571 [GMT 1:00]
Running from: c:\documents and settings\JIB\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JIB\Application Data\.#
c:\documents and settings\JIB\Application Data\inst.exe
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
c:\windows\system32\wfwindowp32.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 11:30 . 2008-12-20 11:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Grisoft
2008-12-20 11:21 . 2006-09-05 17:03 3,968 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-20 00:19 . 2008-12-20 00:19 69,632 --a------ c:\windows\search_promo.dll
2008-12-17 23:15 . 2008-12-17 23:15 <DIR> d-------- c:\documents and settings\JIB\Application Data\Uniblue
2008-12-17 02:04 . 2008-12-17 01:22 5,977 --a------ c:\windows\sorry.exe
2008-12-16 13:39 . 2008-12-16 13:39 <DIR> d-------- c:\program files\EA GAMES
2008-12-14 19:56 . 2008-12-14 19:56 <DIR> d-------- c:\documents and settings\JIB\Application Data\Thinstall
2008-12-12 10:11 . 2008-12-12 10:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\windows\system32\embedded
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\program files\Memturbo 4
2008-12-06 17:54 . 2008-12-06 17:54 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-12-06 00:17 . 2008-12-06 00:17 <DIR> d-------- c:\program files\Eidos
2008-12-04 16:47 . 2008-12-20 11:04 31,324 --a------ c:\windows\system32\nvapps.xml
2008-12-04 16:09 . 2008-12-04 16:57 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-04 16:06 . 2008-12-04 17:09 <DIR> d-------- c:\windows\nview
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-04 16:06 . 2005-07-20 14:07 14,757 --a------ c:\windows\system32\nvdisp.nvu
2008-12-04 15:43 . 2008-12-04 15:43 <DIR> d-------- c:\program files\Xicat
2008-12-03 11:54 . 2008-12-03 11:54 <DIR> d-------- c:\documents and settings\JIB\Application Data\DAEMON Tools
2008-12-01 01:09 . 2008-12-01 01:12 <DIR> d-------- c:\documents and settings\JIB\Application Data\BID
2008-12-01 00:07 . 2008-12-01 10:45 21,840 --a----t- c:\windows\system32\SIntfNT.dll
2008-12-01 00:07 . 2008-12-01 10:45 17,212 --a----t- c:\windows\system32\SIntf32.dll
2008-12-01 00:07 . 2008-12-01 10:45 12,067 --a----t- c:\windows\system32\SIntf16.dll
2008-11-30 23:32 . 2008-12-13 18:49 <DIR> d-------- c:\documents and settings\JIB\Application Data\IObit
2008-11-29 13:23 . 2008-11-29 13:26 <DIR> d-------- c:\program files\Webteh
2008-11-28 11:09 . 2008-11-30 23:43 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 02:27 --------- d-----w c:\documents and settings\JIB\Application Data\Lavasoft
2008-12-19 23:30 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-19 08:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-19 07:58 --------- d-----w c:\program files\Di recnik
2008-12-17 22:44 --------- d-----w c:\program files\GRETECH
2008-12-16 12:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 01:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 01:50 --------- d-----w c:\program files\Wise Registry Cleaner
2008-12-13 17:52 --------- d-----w c:\program files\IObit
2008-12-13 17:44 --------- d-----w c:\documents and settings\JIB\Application Data\DNA
2008-12-11 20:50 --------- d-----w c:\program files\MemTurbo30
2008-12-06 09:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 22:43 --------- d-----w c:\documents and settings\JIB\Application Data\Vso
2008-11-25 22:02 --------- d-----w c:\documents and settings\JIB\Application Data\Skype
2008-11-16 13:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 23:46 --------- d-----w c:\program files\SuperBlank
2008-10-31 01:02 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2008-10-31 01:02 --------- d-----w c:\program files\Alcohol Soft
2008-10-31 00:06 --------- d-----w c:\program files\NCH Software
2008-10-20 15:51 --------- d-----w c:\documents and settings\JIB\Application Data\NCH Software
2008-10-20 15:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-10-12 13:16 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-09 18:48 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-07 13:44 47,360 ----a-w c:\documents and settings\JIB\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"nwiz"="nwiz.exe" [2005-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\JIB\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\Memturbo 4\MemTurbo.exe [2008-12-11 2314752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitstop Disk MD Registration Reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 111184]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"c:\program files\a-squared Anti-Dialer\a2service.exe" [2008-07-13 380536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl []
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e10387b2-b0f6-11dd-9bf5-0015f29cd874}]
\Shell\AutoRun\command - nideiect.com
\Shell\explore\Command - nideiect.com
\Shell\open\Command - nideiect.com

*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
.
------- Supplementary Scan -------
.
mWindow Title =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {25C65EA4-5DEC-467C-9414-7FC17653EF49} = 195.66.160.1,195.66.160.2
FF - ProfilePath - c:\documents and settings\JIB\Application Data\Mozilla\Firefox\Profiles\q9xumreg.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 11:41:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-12-20 11:42:03
ComboFix-quarantined-files.txt 2008-12-20 10:42:01

Pre-Run: 26.534.375.424 bytes free
Post-Run: 26,536,546,304 bytes free

178

Dopuna: 20 Dec 2008 12:37

Evo sad kad otvorim start pa u run ukucam msconfig on mi izbaci sledeću poruku
Šta je ovo ?

Dopuna: 20 Dec 2008 12:39

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

O tome kasnije, kad završimo sa uklanjenjem malware-a.




Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\search_promo.dll
c:\windows\sorry.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e10387b2-b0f6-11dd-9bf5-0015f29cd874}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 14 Sep 2008
  • Poruke: 424
  • Gde živiš: Podgorica

ComboFix 08-12-18.03 - JIB 2008-12-20 13:11:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1023.505 [GMT 1:00]
Running from: c:\documents and settings\JIB\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JIB\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\search_promo.dll
c:\windows\sorry.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\search_promo.dll
c:\windows\sorry.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 11:30 . 2008-12-20 11:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Grisoft
2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-17 23:15 . 2008-12-17 23:15 <DIR> d-------- c:\documents and settings\JIB\Application Data\Uniblue
2008-12-16 13:39 . 2008-12-16 13:39 <DIR> d-------- c:\program files\EA GAMES
2008-12-14 19:56 . 2008-12-14 19:56 <DIR> d-------- c:\documents and settings\JIB\Application Data\Thinstall
2008-12-12 10:11 . 2008-12-12 10:11 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Elaborate Bytes
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\windows\system32\embedded
2008-12-11 21:53 . 2008-12-11 21:53 <DIR> d-------- c:\program files\Memturbo 4
2008-12-06 17:54 . 2008-12-06 17:54 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-12-06 00:17 . 2008-12-06 00:17 <DIR> d-------- c:\program files\Eidos
2008-12-04 16:47 . 2008-12-20 11:04 31,324 --a------ c:\windows\system32\nvapps.xml
2008-12-04 16:09 . 2008-12-04 16:57 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-04 16:06 . 2008-12-04 17:09 <DIR> d-------- c:\windows\nview
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2008-12-04 16:06 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-04 16:06 . 2005-07-20 14:07 14,757 --a------ c:\windows\system32\nvdisp.nvu
2008-12-04 15:43 . 2008-12-04 15:43 <DIR> d-------- c:\program files\Xicat
2008-12-03 11:54 . 2008-12-03 11:54 <DIR> d-------- c:\documents and settings\JIB\Application Data\DAEMON Tools
2008-12-01 01:09 . 2008-12-01 01:12 <DIR> d-------- c:\documents and settings\JIB\Application Data\BID
2008-12-01 00:07 . 2008-12-01 10:45 21,840 --a----t- c:\windows\system32\SIntfNT.dll
2008-12-01 00:07 . 2008-12-01 10:45 17,212 --a----t- c:\windows\system32\SIntf32.dll
2008-12-01 00:07 . 2008-12-01 10:45 12,067 --a----t- c:\windows\system32\SIntf16.dll
2008-11-30 23:32 . 2008-12-13 18:49 <DIR> d-------- c:\documents and settings\JIB\Application Data\IObit
2008-11-29 13:23 . 2008-11-29 13:26 <DIR> d-------- c:\program files\Webteh
2008-11-28 11:09 . 2008-11-30 23:43 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 02:27 --------- d-----w c:\documents and settings\JIB\Application Data\Lavasoft
2008-12-19 23:30 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2008-12-19 08:48 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-12-19 07:58 --------- d-----w c:\program files\Di recnik
2008-12-17 22:44 --------- d-----w c:\program files\GRETECH
2008-12-16 12:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-16 01:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-16 01:50 --------- d-----w c:\program files\Wise Registry Cleaner
2008-12-13 17:52 --------- d-----w c:\program files\IObit
2008-12-13 17:44 --------- d-----w c:\documents and settings\JIB\Application Data\DNA
2008-12-11 20:50 --------- d-----w c:\program files\MemTurbo30
2008-12-06 09:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 22:43 --------- d-----w c:\documents and settings\JIB\Application Data\Vso
2008-11-25 22:02 --------- d-----w c:\documents and settings\JIB\Application Data\Skype
2008-11-16 13:48 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 23:46 --------- d-----w c:\program files\SuperBlank
2008-10-31 01:02 223,128 ----a-w c:\windows\system32\drivers\vaxscsi.sys
2008-10-31 01:02 --------- d-----w c:\program files\Alcohol Soft
2008-10-31 00:06 --------- d-----w c:\program files\NCH Software
2008-10-20 15:51 --------- d-----w c:\documents and settings\JIB\Application Data\NCH Software
2008-10-20 15:49 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2008-10-12 13:16 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-10-09 18:48 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-07 13:44 47,360 ----a-w c:\documents and settings\JIB\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-26 2235920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"nwiz"="nwiz.exe" [2005-07-20 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\JIB\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\Memturbo 4\MemTurbo.exe [2008-12-11 2314752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 111184]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"c:\program files\a-squared Anti-Dialer\a2service.exe" [2008-07-13 380536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl []
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-07-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
.
------- Supplementary Scan -------
.
mWindow Title =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {25C65EA4-5DEC-467C-9414-7FC17653EF49} = 195.66.160.1,195.66.160.2
FF - ProfilePath - c:\documents and settings\JIB\Application Data\Mozilla\Firefox\Profiles\q9xumreg.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 13:13:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-12-20 13:13:55
ComboFix-quarantined-files.txt 2008-12-20 12:13:53
ComboFix2.txt 2008-12-20 10:42:05

Pre-Run: 26.255.888.384 bytes free
Post-Run: 26,244,653,056 bytes free

162
Hvala još jednom !

Dopuna: 20 Dec 2008 13:24

Jesam li dobro ovo uradio
nadam se da nisam nešto pogriješio

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Dobro je odrađeno...


Ovo sada izgleda ok. Što se tiče msconfig-a...


File treba da bude u ovom folderu: C:\WINDOWS\pchealth\helpctr\binaries


Proveri da li je tamo i da li ga je moguće pokrenuti dvoklikom.

Ko je trenutno na forumu
 

Ukupno su 1366 korisnika na forumu :: 43 registrovanih, 6 sakrivenih i 1317 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Aleksandar Tomić, aleksmajstor, Apok, BlekMen, Brana01, cemix, Dimitrise93, draganca, dragoljub11987, dule10savic, Georgius, goxin, Griffon vulture, ILGromovnik, Ivan001, Ivica1102, kolle.the.kid, kuntalo, Mcdado, mercedesamg, milenko crazy north, Milos ZA, MilosKop, milutin134, nenad81, nikola287, pein, powSrb, Seeker, SlaKoj, solic, srbijaiznadsvega, Srle993, Sumadija34, suton, vathra, Vlad000, vladaa012, VP6919, YU-UKI, zillbg, zzapNDjuric99