Trojanac/virus....

1

Trojanac/virus....

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

Simptomi...

Ima ih raznih. Od toga da se sam gasi racunar, blokira bilo kakvu aktivnost racunara, internet je usporen npr ucitava stranicu fb i do 2-3 minuta, iako koristim kablovski internet, izbacuje "Application error", nod mi svakih 15tak minuta izbacuje da ima nekog trojanca iako kad sam pustila da skenira nije izbacio nista itd....
Simptomi su se pojavili pre par dana kad sam od sefice preko usb-a prebacila dve tabele u excelu i jednu prezentaciju u ppt-u. Sumnjam da me je to zarazilo jer nista drugo nisam nit instalirala nit downloadovala sa neta.....

DDS (Ver_10-11-27.01) - NTFSx86
Run by Sandra at 10:40:17,73 on ned 28.11.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2124 [GMT 1:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\WINDOWS\cfdrive32.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Sandra\Local Settings\temp\44A.tmp\MBR.DAT
C:\Documents and Settings\Sandra\Desktop\dds.scr
C:\WINDOWS\System32\47.exe

============== Pseudo HJT Report ===============

uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Taskman=c:\recycler\s-1-5-21-9536250997-7697240908-503244886-3612\syscr.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-5588979237-6877743222-004887909-6358\winmap.exe,c:\recycler\s-1-5-21-9536250997-7697240908-503244886-3612\syscr.exe,c:\recycler\s-1-5-21-9660388536-5969709536-645100007-4965\syscr.exe,c:\recycler\s-1-5-21-8643268453-1532546436-153066658-1152\winmap.exe,c:\recycler\s-1-5-21-8643620432-8321015159-637092578-9980\syscr.exe,c:\recycler\s-1-5-21-6642699865-1351334113-516929404-8277\winmap.exe,c:\recycler\s-1-5-21-9979629374-1761278895-872011556-4135\syscr.exe,c:\recycler\s-1-5-21-8672445280-5577799409-793242634-4802\syscr.exe,c:\recycler\s-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe,c:\documents and settings\sandra\application data\oekx.exe,c:\recycler\s-1-5-21-5662381343-8759434493-699171875-5635\winmap.exe,c:\recycler\s-1-5-21-3614389291-3957977055-869157136-9481\winmap.exe,c:\recycler\s-1-5-21-0226843074-1130955995-188447802-8342\syscr.exe,c:\recycler\s-1-5-21-8649083567-5547243513-138360304-6716\syscr.exe,c:\documents and settings\sandra\application data\ltzqai.exe,c:\recycler\s-1-5-21-0857541699-0607753937-421290351-8280\syscr.exe,c:\recycler\s-1-5-21-2818647820-0375033766-560893499-1178\syscr.exe,explorer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [psysnew] c:\recycler\s-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] "c:\program files\wireless console 2\wcourier.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Microsoft Driver Setup] c:\windows\cfdrive32.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
mExplorerRun: [Microsoft Driver Setup] c:\windows\cfdrive32.exe
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229293699312
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.eu.avon.com/dwa7W.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandra\applic~1\mozilla\firefox\profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\sandra\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\sandra\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-8-3 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\hwinfo32\HWiNFO32.SYS [2009-4-8 16872]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-6 54752]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-12-14 41376]
S2 bdkoo;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S2 Windows Hosts Controller;Windows Hosts Controller; [x]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2008-4-7 6656]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 fvehs;fvehs;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2009-8-10 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-1-21 100480]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-3-17 189792]

=============== Created Last 30 ================

2010-11-28 09:38:42 98304 ----a-w- c:\windows\system32\78.exe
2010-11-28 09:35:01 98304 ----a-w- c:\windows\system32\52.exe
2010-11-28 09:27:02 20480 ----a-w- c:\windows\system32\x.exe
2010-11-28 09:21:45 98304 ----a-w- c:\windows\system32\04.exe
2010-11-28 09:18:35 98304 ----a-w- c:\windows\system32\02.exe
2010-11-28 09:17:31 98304 ----a-w- c:\windows\system32\40.exe
2010-11-28 09:10:23 98304 ----a-w- c:\windows\system32\63.exe
2010-11-28 09:06:41 98304 ----a-w- c:\windows\system32\74.exe
2010-11-27 08:10:17 98304 ----a-w- c:\windows\system32\14.exe
2010-11-27 08:06:19 98304 ----a-w- c:\windows\system32\28.exe
2010-11-27 08:01:03 98304 ----a-w- c:\windows\system32\58.exe
2010-11-27 07:35:20 94208 --sh--r- c:\docume~1\sandra\applic~1\ltzqai.exe
2010-11-27 07:32:46 167936 --sh--r- c:\windows\cfdrive32.exe
2010-11-26 18:31:38 97868 ----a-w- c:\windows\system32\73.exe
2010-11-26 18:30:44 95348 ----a-w- c:\windows\system32\57.exe
2010-11-26 17:35:38 97868 ----a-w- c:\windows\system32\07.exe
2010-11-26 17:35:02 94088 ----a-w- c:\windows\system32\67.exe
2010-11-26 17:28:41 95348 ----a-w- c:\windows\system32\80.exe
2010-11-26 09:19:37 98304 ----a-w- c:\windows\system32\50.exe
2010-11-26 09:18:34 96608 ----a-w- c:\windows\system32\54.exe
2010-11-26 08:58:04 98304 ----a-w- c:\windows\system32\01.exe
2010-11-26 08:45:31 98304 ----a-w- c:\windows\system32\10.exe
2010-11-26 08:33:28 98304 ----a-w- c:\windows\system32\22.exe
2010-11-26 08:24:53 98304 ----a-w- c:\windows\system32\84.exe
2010-11-26 08:12:45 98304 ----a-w- c:\windows\system32\00.exe
2010-11-26 07:52:09 94088 ----a-w- c:\windows\system32\66.exe
2010-11-26 07:51:21 98304 ----a-w- c:\windows\system32\13.exe
2010-11-26 07:39:22 98304 ----a-w- c:\windows\system32\62.exe
2010-11-26 07:14:51 98304 ----a-w- c:\windows\system32\35.exe
2010-11-25 19:53:00 98304 ----a-w- c:\windows\system32\64.exe
2010-11-25 19:46:21 98304 ----a-w- c:\windows\system32\16.exe
2010-11-25 19:45:21 98304 ----a-w- c:\windows\system32\25.exe
2010-11-25 19:44:27 98304 ----a-w- c:\windows\system32\55.exe
2010-11-25 09:51:08 98304 ----a-w- c:\windows\system32\24.exe
2010-11-25 09:13:45 98304 ----a-w- c:\windows\system32\34.exe
2010-11-25 08:27:48 98304 ----a-w- c:\windows\system32\47.exe
2010-11-25 08:21:07 98304 ----a-w- c:\windows\system32\53.exe
2010-11-25 08:00:56 -------- d-----w- c:\docume~1\sandra\locals~1\applic~1\ESET
2010-11-25 07:56:25 -------- d-----w- c:\program files\ESET
2010-11-25 07:55:51 98304 --sh--r- c:\docume~1\sandra\applic~1\oekx.exe
2010-11-25 07:55:26 98304 ----a-w- c:\windows\system32\81.exe
2010-11-25 07:54:45 61440 --sh--r- c:\windows\cwdrive32.exe
2010-11-25 07:44:45 98304 ----a-w- c:\windows\system32\06.exe
2010-11-22 18:56:25 98304 ----a-w- c:\windows\system32\26.exe
2010-11-22 18:55:00 98304 ----a-w- c:\windows\system32\61.exe
2010-11-22 18:16:01 98304 ----a-w- c:\windows\system32\51.exe
2010-11-10 09:51:35 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51:35 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51:30 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50:02 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22:36 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22:36 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\NokiaInstallerCache

==================== Find3M ====================

2010-09-15 02:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57:42 1851544 ----a-w- c:\program files\install_flash_player.exe

============= FINISH: 10:40:31,01 ===============


https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Nemoj koristiti flash diskove dok ne kažem da možeš.



Arrow Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-27.01 - Sandra 28.11.2010 20:30:59.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2155 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\documents and settings\Sandra\Application Data\oekx.exe
c:\windows\cfdrive32.exe
c:\windows\logfile32.txt
c:\windows\nigzss.txt
c:\windows\system32\00.exe
c:\windows\system32\01.exe
c:\windows\system32\02.exe
c:\windows\system32\04.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\07.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\11.exe
c:\windows\system32\12.exe
c:\windows\system32\13.exe
c:\windows\system32\14.exe
c:\windows\system32\15.exe
c:\windows\system32\16.exe
c:\windows\system32\17.exe
c:\windows\system32\18.exe
c:\windows\system32\20.exe
c:\windows\system32\21.exe
c:\windows\system32\22.exe
c:\windows\system32\23.exe
c:\windows\system32\24.exe
c:\windows\system32\25.exe
c:\windows\system32\26.exe
c:\windows\system32\27.exe
c:\windows\system32\28.exe
c:\windows\system32\30.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\34.exe
c:\windows\system32\35.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\38.exe
c:\windows\system32\40.exe
c:\windows\system32\41.exe
c:\windows\system32\42.exe
c:\windows\system32\43.exe
c:\windows\system32\44.exe
c:\windows\system32\45.exe
c:\windows\system32\46.exe
c:\windows\system32\47.exe
c:\windows\system32\48.exe
c:\windows\system32\50.exe
c:\windows\system32\51.exe
c:\windows\system32\52.exe
c:\windows\system32\53.exe
c:\windows\system32\54.exe
c:\windows\system32\55.exe
c:\windows\system32\56.exe
c:\windows\system32\57.exe
c:\windows\system32\58.exe
c:\windows\system32\60.exe
c:\windows\system32\61.exe
c:\windows\system32\62.exe
c:\windows\system32\63.exe
c:\windows\system32\64.exe
c:\windows\system32\65.exe
c:\windows\system32\66.exe
c:\windows\system32\67.exe
c:\windows\system32\68.exe
c:\windows\system32\70.exe
c:\windows\system32\71.exe
c:\windows\system32\72.exe
c:\windows\system32\73.exe
c:\windows\system32\74.exe
c:\windows\system32\75.exe
c:\windows\system32\76.exe
c:\windows\system32\77.exe
c:\windows\system32\78.exe
c:\windows\system32\80.exe
c:\windows\system32\81.exe
c:\windows\system32\82.exe
c:\windows\system32\84.exe
c:\windows\system32\85.exe
c:\windows\system32\88.exe
c:\windows\system32\i
c:\windows\system32\msvcrt2.dll

----- File Replicators -----

c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EMLZTBHK\afkf[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EMLZTBHK\afkf[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EMLZTBHK\eeny[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KB825NKO\afkf[1].exe .. failed to delete
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KB825NKO\afkf[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KB825NKO\rvqf[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\afkf[1].exe .. failed to delete
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\afkf[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\eeny[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\eeny[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\eeny[3].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\rvqf[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KRQEQQYS\rvqf[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJPDN21W\afkf[1].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJPDN21W\afkf[2].exe
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OJPDN21W\rvqf[1].exe
c:\windows\system32\00.exe
c:\windows\system32\02.exe
c:\windows\system32\04.exe
c:\windows\system32\05.exe
c:\windows\system32\06.exe
c:\windows\system32\07.exe
c:\windows\system32\08.exe
c:\windows\system32\10.exe
c:\windows\system32\12.exe
c:\windows\system32\13.exe
c:\windows\system32\14.exe
c:\windows\system32\15.exe
c:\windows\system32\16.exe
c:\windows\system32\17.exe
c:\windows\system32\18.exe
c:\windows\system32\20.exe
c:\windows\system32\21.exe
c:\windows\system32\22.exe
c:\windows\system32\23.exe
c:\windows\system32\24.exe
c:\windows\system32\25.exe
c:\windows\system32\26.exe
c:\windows\system32\27.exe
c:\windows\system32\28.exe
c:\windows\system32\30.exe
c:\windows\system32\31.exe
c:\windows\system32\32.exe
c:\windows\system32\33.exe
c:\windows\system32\34.exe
c:\windows\system32\35.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\38.exe
c:\windows\system32\40.exe
c:\windows\system32\41.exe
c:\windows\system32\42.exe
c:\windows\system32\43.exe
c:\windows\system32\44.exe
c:\windows\system32\45.exe
c:\windows\system32\46.exe
c:\windows\system32\47.exe
c:\windows\system32\48.exe
c:\windows\system32\51.exe
c:\windows\system32\52.exe
c:\windows\system32\53.exe
c:\windows\system32\54.exe
c:\windows\system32\55.exe
c:\windows\system32\56.exe
c:\windows\system32\57.exe
c:\windows\system32\58.exe
c:\windows\system32\60.exe
c:\windows\system32\62.exe
c:\windows\system32\63.exe
c:\windows\system32\64.exe
c:\windows\system32\65.exe
c:\windows\system32\66.exe
c:\windows\system32\67.exe
c:\windows\system32\70.exe
c:\windows\system32\72.exe
c:\windows\system32\73.exe
c:\windows\system32\74.exe
c:\windows\system32\75.exe
c:\windows\system32\76.exe
c:\windows\system32\77.exe
c:\windows\system32\80.exe
c:\windows\system32\81.exe
c:\windows\system32\82.exe
c:\windows\system32\85.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VMWARESERVICE
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
-------\Service_Windows Hosts Controller
-------\Legacy_bdkoo
-------\Service_bdkoo


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 19:39 . 2010-11-28 19:39 94208 --sh--r- c:\documents and settings\Sandra\Application Data\ltzqai.exe
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-25 07:54 . 2010-11-25 07:54 61440 --sh--r- c:\windows\cwdrive32.exe
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe,c:\documents and settings\Sandra\Application Data\ltzqai.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\documents and settings\Sandra\Application Data\ltzqai.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5969:TCP"= 5969:TCP:iddclafz
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S2 bdkoo;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 fvehs;fvehs;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mrbqd
bdkoo
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Sandra\Desktop\rmplstinski\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fvehs]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdkoo]
"ServiceDll"="c:\windows\system32\iyxvc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\PC Connectivity Solution\NclBTHandler.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\cwdrive32.exe
c:\windows\system32\msvmiode.exe
.
**************************************************************************
.
Completion time: 2010-11-28 20:43:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-28 19:43
ComboFix2.txt 2009-04-07 10:51
ComboFix3.txt 2009-03-15 12:53
ComboFix4.txt 2009-03-15 12:19
ComboFix5.txt 2010-11-28 19:23

Pre-Run: 15.821.639.680 bytes free
Post-Run: 17.088.765.952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 223E47C91D857C12A43FB07FD5060C1A

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\cwdrive32.exe
c:\windows\system32\msvmiode.exe

Rootkit::
c:\windows\system32\01.tmp
c:\windows\system32\iyxvc.dll

KillAll::

RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

NetSvc::
mrbqd
bdkoo

Driver::
fvehs

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5969:TCP"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-28.01 - Sandra 28.11.2010 23:25:20.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2135 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sandra\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\cwdrive32.exe"
"c:\windows\system32\msvmiode.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\recycler\S-1-5-21-2085050063-1747707168-853831561-2951\syscr.exe
c:\windows\cwdrive32.exe
c:\windows\system32\02.exe
c:\windows\system32\34.exe
c:\windows\system32\76.exe
c:\windows\system32\msvmiode.exe
.
---- Previous Run -------
.
c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\documents and settings\Sandra\Application Data\oekx.exe
c:\windows\cwdrive32.exe
c:\windows\system32\18.exe
c:\windows\system32\21.exe
c:\windows\system32\24.exe
c:\windows\system32\54.exe
c:\windows\system32\55.exe
c:\windows\system32\60.exe
c:\windows\system32\62.exe
c:\windows\system32\64.exe
c:\windows\system32\72.exe
c:\windows\system32\75.exe
c:\windows\system32\76.exe
c:\windows\system32\77.exe
c:\windows\system32\78.exe
c:\windows\system32\82.exe
c:\windows\system32\88.exe

----- File Replicators -----

c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP6\A0015618.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015626.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015634.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015635.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015641.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015642.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015643.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015644.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015647.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015648.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015650.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015651.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015652.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015664.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015665.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015669.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0015670.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017605.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017607.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017608.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017609.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017610.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017611.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017612.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017613.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017647.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017648.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017721.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0017832.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018089.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018092.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018102.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018110.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018111.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018112.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018113.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018114.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018115.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018116.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018117.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018118.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018119.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018120.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018121.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018122.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018123.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018124.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018125.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018126.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018127.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018128.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018129.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018130.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018131.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018132.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018133.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018134.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018135.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018136.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018137.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018138.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018139.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018140.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018141.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018142.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018143.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018144.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018145.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018146.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018147.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018148.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018149.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018150.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018151.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018152.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018153.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018154.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018155.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018156.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018157.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018158.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018159.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018160.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018161.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018162.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018163.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018164.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018165.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018166.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018167.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018168.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018169.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018170.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018171.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018172.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018173.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018174.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0018175.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0019411.exe
c:\system volume information\_restore{83B30773-A03A-4923-903B-D7EB076366F4}\RP7\A0019417.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_fvehs
-------\Legacy_bdkoo
-------\Service_bdkoo
-------\Legacy_bdkoo
-------\Service_bdkoo


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-28 22:31 . 2010-11-28 22:31 16384 c:\windows\temp\Perflib_Perfdata_670.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S2 bdkoo;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 1:00 PM 14336]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdkoo]
"ServiceDll"="c:\windows\system32\iyxvc.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\NclBTHandler.exe
.
**************************************************************************
.
Completion time: 2010-11-28 23:35:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-28 22:35
ComboFix2.txt 2010-11-28 19:43
ComboFix3.txt 2009-04-07 10:51
ComboFix4.txt 2009-03-15 12:53
ComboFix5.txt 2010-11-28 21:42

Pre-Run: 17.063.653.376 bytes free
Post-Run: 17.046.175.744 bytes free

- - End Of File - - F96BAB58B1E68EA25853C406EE442CBA

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom...



Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\system32\iyxvc.dll

Driver::
bdkoo



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-28.01 - Sandra 29.11.2010 0:25.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2085 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sandra\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\iyxvc.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\windows\system32\06.exe
c:\windows\system32\17.exe
c:\windows\system32\21.exe
c:\windows\system32\32.exe
c:\windows\system32\46.exe
c:\windows\system32\48.exe
c:\windows\system32\50.exe
c:\windows\system32\71.exe
c:\windows\system32\77.exe
c:\windows\system32\85.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bdkoo


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-28 23:30 . 2010-11-28 23:30 16384 c:\windows\temp\Perflib_Perfdata_658.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4056)
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ASUS\ATK Hotkey\WDC.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\PC Connectivity Solution\NclBTHandler.exe
c:\docume~1\Sandra\LOCALS~1\Temp\391.exe
.
**************************************************************************
.
Completion time: 2010-11-29 00:34:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-28 23:34
ComboFix2.txt 2010-11-28 22:35
ComboFix3.txt 2010-11-28 19:43
ComboFix4.txt 2009-04-07 10:51
ComboFix5.txt 2010-11-28 23:25

Pre-Run: 17.040.920.576 bytes free
Post-Run: 17.024.282.624 bytes free

- - End Of File - - 4FED1D843F6200731F037DE687D8950C

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ponovo dvoklikom pokreni ComboFix i postavi novi log.

offline
  • Pridružio: 01 Okt 2003
  • Poruke: 2383
  • Gde živiš: Beograd

ComboFix 10-11-28.01 - Sandra 29.11.2010 8:47.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2212 [GMT 1:00]
Running from: c:\documents and settings\Sandra\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sandra\Application Data\ltzqai.exe
c:\recycler\S-1-5-21-5117419839-3614287403-644965997-3360\syscr.exe
c:\windows\system32\31.exe
c:\windows\system32\85.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 07:36 . 2010-11-29 07:35 126976 --sh--r- c:\windows\cwdrive32.exe
2010-11-28 23:32 . 2010-11-28 23:32 60480 ----a-w- c:\windows\system32\x
2010-11-28 21:16 . 2009-08-06 18:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-11-25 08:00 . 2010-11-25 08:00 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\ESET
2010-11-25 07:58 . 2010-11-25 07:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\program files\ESET
2010-11-25 07:56 . 2010-11-25 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-11-10 09:51 . 2003-03-18 19:04 765952 ----a-w- c:\windows\system32\msvcp71d.dll
2010-11-10 09:51 . 2003-03-18 19:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2010-11-10 09:51 . 2010-11-23 08:45 -------- d-----w- c:\program files\ALCATEL PC Suite
2010-11-10 09:50 . 2006-09-09 15:46 131072 ----a-w- c:\windows\system32\mtkjpeg.dll
2010-11-05 20:22 . 2008-04-13 23:15 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-11-05 20:22 . 2008-04-13 23:15 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-10-30 21:58 . 2010-10-30 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaInstallerCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:50 . 2010-04-18 12:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 00:29 . 2010-04-18 12:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2008-12-14 22:57 . 2008-12-14 22:57 1851544 ----a-w- c:\program files\install_flash_player.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-11-28_19.39.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-29 07:35 . 2010-11-29 07:35 16384 c:\windows\temp\Perflib_Perfdata_670.dat
+ 2008-12-14 22:29 . 2009-08-06 18:24 44768 c:\windows\system32\wups2.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-11-28 21:16 . 2009-08-06 18:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-11-28 21:16 . 2009-08-06 18:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2008-04-14 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2010-11-28 21:16 . 2009-08-06 18:23 575704 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7600.226\wuapi.dll
+ 2009-03-18 22:51 . 2009-08-06 18:23 215904 c:\windows\system32\muweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 209624 c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-13 14:44 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-12-13 14:44 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POP Peeper"="c:\program files\POP Peeper\POPPeeper.exe" [2008-03-11 1429504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2008-08-18 117304]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-10-20 166456]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13545472]
"nwiz"="nwiz.exe" [2008-09-19 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2005-02-07 24576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-11-04 2219184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-3-17 1466384]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"9991:TCP"= 9991:TCP:PORT2
"1013:TCP"= 1013:TCP:BS
"7943:TCP"= 7943:TCP:FD

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/3/2010 12:28 PM 95896]
R1 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [4/8/2009 2:34 PM 16872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/4/2010 5:15 PM 810144]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [12/14/2008 12:18 AM 41376]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [4/7/2008 2:00 PM 6656]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [8/10/2009 12:07 PM 89600]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [1/21/2010 7:19 PM 100480]
.
Contents of the 'Scheduled Tasks' folder

2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.eu.avon.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9bo71q6s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=home
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Sandra\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np72esk32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPeWebEditPro.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 08:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2010-11-29 08:54:00
ComboFix-quarantined-files.txt 2010-11-29 07:53
ComboFix2.txt 2010-11-28 23:34
ComboFix3.txt 2010-11-28 22:35
ComboFix4.txt 2010-11-28 19:43
ComboFix5.txt 2010-11-29 07:47

Pre-Run: 17.034.317.824 bytes free
Post-Run: 17.016.975.360 bytes free

- - End Of File - - 015D94905BAF7291593BA92A87FB0E0F

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\cwdrive32.exe
c:\windows\system32\x



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 1419 korisnika na forumu :: 33 registrovanih, 8 sakrivenih i 1378 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Ageofloneliness, Arahne, babaroga, bagor10, bigfoot, cifra, CikaKURE, Dannyboy, debeli, Dimitrise93, draganca, Georgius, hatman, ILGromovnik, JOntra, lord sir giga, LUDI, Lutvo_Redzepagic, Mixelotti, oganj123, raptorsi, RiV, robert1979, ruma, S2M, Shinobi, shone34, Skywhaler, SlaKoj, Trpe Grozni, Vlada78, zziko