User32.dll

1

User32.dll

offline
  • Pridružio: 21 Jan 2009
  • Poruke: 6

Znaci ubija me ovo...ovaj stupid user32.dll

Ne mogu mu nista ni avast,ni nod,ni gomila programa (ccleaner,puno malware programa,jednostavno je neunistiv Sad )

Evo screen-a,znaci to mi non-stop izlazi poludeo sam....



A evo i loga iz hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29:01, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\pes\TR3.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = search.live.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 6307 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Pokreni ESET Smart Security/ESET NOD32 na sledeci nacin :
Start>All Programs>ESET>ESET Smart Security ili pak ESET NOD32 Antivirus(ukoliko koristis samo Antivirus resenje).

* Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
* Izaberi Antivirus and antispyware opciju i klikni na Temporarily disable Antivirus and antispyware protection.
* Na sledece pitanje klikni Yes.



Takođe, isključi i MBAM Protection modul.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 21 Jan 2009
  • Poruke: 6

ComboFix 09-01-21.01 - Administrator 2009-01-21 21:17:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.119 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 00:30 . 2009-01-21 00:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 00:30 . 2009-01-21 00:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 00:30 . 2009-01-21 00:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-21 00:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 00:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-20 23:57 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2009-01-20 23:55 . 2009-01-20 23:55 <DIR> d-------- c:\program files\ESET
2009-01-20 19:32 . 2009-01-20 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2009-01-20 15:41 . 2001-09-24 17:43 232 --------- c:\windows\XIIIHooligans.ini
2009-01-19 18:08 . 2009-01-19 18:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2009-01-19 15:27 . 2009-01-20 15:41 <DIR> d-------- c:\program files\Hooligans
2009-01-19 01:10 . 2009-01-21 05:17 <DIR> d-------- C:\CD
2009-01-18 23:05 . 2009-01-18 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\eboostr
2009-01-17 15:15 . 2009-01-17 15:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-01-17 15:15 . 2009-01-17 15:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2009-01-17 15:05 . 2009-01-17 15:05 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2009-01-17 14:58 . 2007-04-18 13:19 2,096 -ra------ c:\windows\system32\drivers\ativdkxx.vp
2009-01-17 14:57 . 2009-01-17 15:12 <DIR> d-------- c:\program files\ATI Technologies
2009-01-17 14:50 . 2009-01-17 14:50 0 --a------ c:\windows\ativpsrm.bin
2009-01-17 14:48 . 2007-08-21 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-01-17 14:47 . 2009-01-17 14:47 <DIR> d-------- C:\ATI
2009-01-17 13:44 . 2009-01-17 13:44 108,144 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-17 13:37 . 2009-01-17 13:37 <DIR> d-------- c:\program files\JoWooD
2009-01-16 03:54 . 2009-01-16 03:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\VitySoft
2009-01-15 21:25 . 2009-01-17 02:20 160 --a------ c:\windows\mafosav.INI
2009-01-14 23:23 . 2009-01-14 23:23 <DIR> d-------- c:\program files\Mario Forever Toolbar
2009-01-14 23:23 . 2009-01-14 23:23 325,346 --a------ c:\windows\Mario_Forever_Toolbar_Uninstaller_3343.exe
2009-01-14 23:22 . 2009-01-14 23:22 <DIR> d-------- c:\program files\Mario Forever
2009-01-10 18:33 . 2009-01-10 18:33 <DIR> d-------- c:\program files\Play+Smile
2009-01-10 18:33 . 2005-04-14 16:33 3,638 --ah----- c:\windows\ps.ico
2009-01-07 22:57 . 2009-01-15 02:14 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-01-06 19:53 . 2009-01-06 19:54 <DIR> d-------- c:\program files\CCleaner
2009-01-06 03:47 . 2009-01-06 03:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\iTurnOff
2009-01-05 16:16 . 2009-01-05 16:16 19,456 --ahs---- C:\Thumbs.db
2009-01-05 16:16 . 2009-01-05 16:16 7,680 --ahs---- c:\windows\Thumbs.db
2009-01-05 16:03 . 2009-01-05 16:03 <DIR> d-------- c:\program files\Image Grabber II
2009-01-05 01:15 . 2009-01-05 01:16 <DIR> d-------- c:\program files\YouTube Downloader
2009-01-03 00:18 . 2009-01-11 02:51 <DIR> d-------- c:\program files\URUSoft
2009-01-02 21:35 . 2009-01-02 21:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\smc
2009-01-02 21:31 . 2009-01-05 02:50 <DIR> d-------- c:\program files\Secret Maryo Chronicles
2009-01-01 14:56 . 2009-01-01 14:56 <DIR> d--h----- c:\windows\PIF
2008-12-31 15:19 . 2008-12-31 15:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2008-12-29 20:30 . 2008-12-29 20:30 <DIR> d-------- c:\program files\Alwil Software
2008-12-27 17:27 . 2008-12-27 17:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\www.pro-evo.xooit.fr
2008-12-27 11:23 . 2008-12-27 11:24 <DIR> d-------- c:\program files\The KMPlayer
2008-12-24 12:57 . 2009-01-03 02:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-24 12:57 . 2008-12-24 12:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-24 12:57 . 2008-12-24 12:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-24 12:56 . 2008-12-24 12:56 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 03:04 . 2008-12-21 03:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Delayed Shutdown

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 20:18 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-01-21 15:09 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-01-20 19:57 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-01-20 18:03 --------- d-----w c:\program files\7-Zip
2009-01-20 14:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-17 14:05 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-17 01:50 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 13:40 94,208 ----a-w c:\windows\DUMP830a.tmp
2009-01-14 13:40 94,208 ----a-w c:\windows\DUMP66d8.tmp
2009-01-09 20:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 13:36 --------- d-----w c:\program files\Messenger Plus! Live
2008-12-30 21:48 --------- d-----w c:\program files\Windows Live
2008-12-28 15:35 --------- d-----w c:\documents and settings\Administrator\Application Data\Hoyle
2008-12-18 19:21 --------- d-----w c:\program files\Microsoft Office Outlook Connector
2008-12-18 19:21 --------- d-----w c:\program files\Microsoft
2008-12-18 19:17 --------- d-----w c:\program files\Windows Live SkyDrive
2008-12-18 18:39 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-15 00:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Hoyle FaceCreator
2008-12-14 23:22 --------- d-----w c:\program files\Encore
2008-12-14 23:06 --------- d-----w c:\program files\Alcohol Soft
2008-12-14 15:57 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-14 01:05 --------- d-----w c:\program files\eMule
2008-12-14 01:01 --------- d-----w c:\program files\Sony
2008-12-10 21:45 --------- d-----w c:\program files\Real Alternative
2008-12-09 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\InterAction studios
2008-12-09 01:14 --------- d-----w c:\program files\Chicken Invaders 3
2008-12-09 01:13 --------- d-----w c:\program files\ReflexiveArcade
2008-12-08 21:17 --------- d-----w c:\program files\MessengerDiscovery
2008-12-08 12:51 577,024 ------r c:\windows\system32\user32.DLL
2008-12-07 22:22 --------- d-----w c:\documents and settings\Administrator\Application Data\Publish Providers
2008-12-07 21:49 --------- d-----w c:\documents and settings\Administrator\Application Data\Sony
2008-12-07 21:44 --------- d-----w c:\program files\Sony Setup
2008-12-03 12:41 --------- d-----w c:\program files\QuickTime Alternative
2008-12-03 12:41 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 12:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 12:40 --------- d-----w c:\program files\Apple Software Update
2008-12-03 12:40 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-03 11:41 --------- d-----w c:\program files\JLC's Software
2008-12-03 11:40 --------- d-----w c:\program files\Webteh
2008-12-01 20:40 143,360 ------w c:\windows\system32\ati2evxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-11-30 11:51 --------- d-----w c:\program files\DivX
2008-11-29 19:31 --------- d-----w c:\program files\MSXML 4.0
2008-11-29 19:27 --------- d-----w c:\program files\Pinnacle
2008-11-29 18:01 --------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle
2008-11-23 20:22 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-23 00:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-22 01:03 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-22 01:03 --------- d-----w c:\program files\Java
2008-11-22 00:30 --------- d-----w c:\documents and settings\Administrator\Application Data\TuneUp Software
2008-11-22 00:29 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-22 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2008-12-08 12:51:26 c:\windows\system32\user32.DLL
577,024 2008-12-08 12:51:26 c:\windows\system32\dllcache\user32.dll


------- Sigcheck -------

2008-12-08 13:51 577024 39a955067760d4f9bae8b715f09a524b c:\windows\system32\user32.DLL
2008-12-08 13:51 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\system32\dllcache\user32.dll

2002-12-31 13:00 360448 0601f83f6784c220ee302f03f702316e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2008-09-02 15:05 398776 --a------ c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-16 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-12-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Igre\\PES 2009\\pes2009.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Igre\\JSL\\JSL_PATCH_2009.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 3xHybrid;Pinnacle PCTV 110i service;c:\windows\system32\drivers\3xHybrid.sys [2008-11-29 827008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-21 15504]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-21 170640]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2008-11-29 6400]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Pinnacle WebUpdater - c:\program files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe -s -f=UpdateVersion.xml


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/intl/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\suqtakhz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-21 21:18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,f0,c8,03,2e,28,
01,ff,86,e2,63,26,f1,3f,c8,ff,68,bd,e8,ef,47,9d,c1,9b,ab,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,dd,d6,b1,98,ab,
64,b6,a4,6a,9c,d6,61,af,45,84,18,32,85,ea,ef,50,8f,41,48,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,cb,77,09,eb,45,
5f,0c,08,ff,7c,85,e0,43,d4,0e,fe,dd,df,b4,02,01,cc,9c,c1,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,95,2b,96,a8,f9,
e6,c6,d6,86,8c,21,01,be,91,eb,e7,7b,10,9a,b6,74,c4,34,23,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ab,79,0d,25,0f,
b5,1a,04,f5,1d,4d,73,a8,13,5c,05,78,55,b7,b9,74,93,ae,d1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,4e,21,25,bf,dd,
bd,7e,be,df,20,58,62,78,6b,cf,c8,82,51,9b,9b,90,77,86,40,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,3c,d4,68,79,dd,
d5,23,f8,fb,a7,78,e6,12,2f,9a,ea,ee,e7,a7,df,38,ee,e2,10,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,dc,ab,3d,4c,39,
45,15,fa,01,3a,48,fc,e8,04,4a,f1,47,5f,df,f4,31,bc,e4,9d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,9a,59,cb,8c,69,
b4,0b,ec,f6,0f,4e,58,98,5b,89,c9,fa,17,c0,ff,d1,88,a2,9d,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c5,82,21,6e,2f,
9c,48,b9,3d,ce,ea,26,2d,45,aa,78,f4,c3,e8,32,99,01,0c,a0,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,3b,73,17,22,9e,
ec,c3,b2,2a,b7,cc,b5,b9,7f,41,e7,d8,88,69,ab,a7,a5,a0,01,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,5a,cc,8b,56,e0,
05,8b,38,6c,43,2d,1e,aa,22,2f,9c,0a,fa,ac,74,7d,b3,25,c9,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-21 21:20:45
ComboFix-quarantined-files.txt 2009-01-21 20:20:33

Pre-Run: 746,283,008 bytes free
Post-Run: 1,241,231,360 bytes free

288

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Zamolio bih te da ponovo pokreneš ComboFix ali ovaj put prihvati instalaciju Recovery Console kada ti program to ponudi.

Postavi log koji dobiješ na kraju postupka.

offline
  • Pridružio: 21 Jan 2009
  • Poruke: 6

ComboFix 09-01-21.01 - Administrator 2009-01-21 21:47:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.123 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 00:30 . 2009-01-21 00:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 00:30 . 2009-01-21 00:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-21 00:30 . 2009-01-21 00:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-21 00:30 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 00:30 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-20 23:57 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2009-01-20 23:55 . 2009-01-20 23:55 <DIR> d-------- c:\program files\ESET
2009-01-20 19:32 . 2009-01-20 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2009-01-20 15:41 . 2001-09-24 17:43 232 --------- c:\windows\XIIIHooligans.ini
2009-01-19 18:08 . 2009-01-19 18:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2009-01-19 15:27 . 2009-01-20 15:41 <DIR> d-------- c:\program files\Hooligans
2009-01-19 01:10 . 2009-01-21 05:17 <DIR> d-------- C:\CD
2009-01-18 23:05 . 2009-01-18 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\eboostr
2009-01-17 15:15 . 2009-01-17 15:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-01-17 15:15 . 2009-01-17 15:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2009-01-17 15:05 . 2009-01-17 15:05 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2009-01-17 14:58 . 2007-04-18 13:19 2,096 -ra------ c:\windows\system32\drivers\ativdkxx.vp
2009-01-17 14:57 . 2009-01-17 15:12 <DIR> d-------- c:\program files\ATI Technologies
2009-01-17 14:50 . 2009-01-17 14:50 0 --a------ c:\windows\ativpsrm.bin
2009-01-17 14:48 . 2007-08-21 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-01-17 14:47 . 2009-01-17 14:47 <DIR> d-------- C:\ATI
2009-01-17 13:44 . 2009-01-17 13:44 108,144 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-17 13:37 . 2009-01-17 13:37 <DIR> d-------- c:\program files\JoWooD
2009-01-16 03:54 . 2009-01-16 03:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\VitySoft
2009-01-15 21:25 . 2009-01-17 02:20 160 --a------ c:\windows\mafosav.INI
2009-01-14 23:23 . 2009-01-14 23:23 <DIR> d-------- c:\program files\Mario Forever Toolbar
2009-01-14 23:23 . 2009-01-14 23:23 325,346 --a------ c:\windows\Mario_Forever_Toolbar_Uninstaller_3343.exe
2009-01-14 23:22 . 2009-01-14 23:22 <DIR> d-------- c:\program files\Mario Forever
2009-01-10 18:33 . 2009-01-10 18:33 <DIR> d-------- c:\program files\Play+Smile
2009-01-10 18:33 . 2005-04-14 16:33 3,638 --ah----- c:\windows\ps.ico
2009-01-07 22:57 . 2009-01-15 02:14 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-01-06 19:53 . 2009-01-06 19:54 <DIR> d-------- c:\program files\CCleaner
2009-01-06 03:47 . 2009-01-06 03:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\iTurnOff
2009-01-05 16:16 . 2009-01-05 16:16 19,456 --ahs---- C:\Thumbs.db
2009-01-05 16:16 . 2009-01-05 16:16 7,680 --ahs---- c:\windows\Thumbs.db
2009-01-05 16:03 . 2009-01-05 16:03 <DIR> d-------- c:\program files\Image Grabber II
2009-01-05 01:15 . 2009-01-05 01:16 <DIR> d-------- c:\program files\YouTube Downloader
2009-01-03 00:18 . 2009-01-11 02:51 <DIR> d-------- c:\program files\URUSoft
2009-01-02 21:35 . 2009-01-02 21:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\smc
2009-01-02 21:31 . 2009-01-05 02:50 <DIR> d-------- c:\program files\Secret Maryo Chronicles
2009-01-01 14:56 . 2009-01-01 14:56 <DIR> d--h----- c:\windows\PIF
2008-12-31 15:19 . 2008-12-31 15:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2008-12-29 20:30 . 2008-12-29 20:30 <DIR> d-------- c:\program files\Alwil Software
2008-12-27 17:27 . 2008-12-27 17:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\www.pro-evo.xooit.fr
2008-12-27 11:23 . 2008-12-27 11:24 <DIR> d-------- c:\program files\The KMPlayer
2008-12-24 12:57 . 2009-01-03 02:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-24 12:57 . 2008-12-24 12:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-24 12:57 . 2008-12-24 12:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-12-24 12:56 . 2008-12-24 12:56 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-21 03:04 . 2008-12-21 03:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Delayed Shutdown

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 20:51 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-01-21 20:51 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-01-20 19:57 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-01-20 18:03 --------- d-----w c:\program files\7-Zip
2009-01-20 14:39 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-17 14:05 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-17 01:50 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 13:40 94,208 ----a-w c:\windows\DUMP830a.tmp
2009-01-14 13:40 94,208 ----a-w c:\windows\DUMP66d8.tmp
2009-01-09 20:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 13:36 --------- d-----w c:\program files\Messenger Plus! Live
2008-12-30 21:48 --------- d-----w c:\program files\Windows Live
2008-12-28 15:35 --------- d-----w c:\documents and settings\Administrator\Application Data\Hoyle
2008-12-18 19:21 --------- d-----w c:\program files\Microsoft Office Outlook Connector
2008-12-18 19:21 --------- d-----w c:\program files\Microsoft
2008-12-18 19:17 --------- d-----w c:\program files\Windows Live SkyDrive
2008-12-18 18:39 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-15 00:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Hoyle FaceCreator
2008-12-14 23:22 --------- d-----w c:\program files\Encore
2008-12-14 23:06 --------- d-----w c:\program files\Alcohol Soft
2008-12-14 01:05 --------- d-----w c:\program files\eMule
2008-12-14 01:01 --------- d-----w c:\program files\Sony
2008-12-10 21:45 --------- d-----w c:\program files\Real Alternative
2008-12-09 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\InterAction studios
2008-12-09 01:14 --------- d-----w c:\program files\Chicken Invaders 3
2008-12-09 01:13 --------- d-----w c:\program files\ReflexiveArcade
2008-12-08 21:17 --------- d-----w c:\program files\MessengerDiscovery
2008-12-07 22:22 --------- d-----w c:\documents and settings\Administrator\Application Data\Publish Providers
2008-12-07 21:49 --------- d-----w c:\documents and settings\Administrator\Application Data\Sony
2008-12-07 21:44 --------- d-----w c:\program files\Sony Setup
2008-12-03 12:41 --------- d-----w c:\program files\QuickTime Alternative
2008-12-03 12:41 --------- d-----w c:\program files\Common Files\Apple
2008-12-03 12:41 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-03 12:40 --------- d-----w c:\program files\Apple Software Update
2008-12-03 12:40 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-03 11:41 --------- d-----w c:\program files\JLC's Software
2008-12-03 11:40 --------- d-----w c:\program files\Webteh
2008-11-30 11:51 --------- d-----w c:\program files\DivX
2008-11-29 19:31 --------- d-----w c:\program files\MSXML 4.0
2008-11-29 19:27 --------- d-----w c:\program files\Pinnacle
2008-11-29 18:01 --------- d-----w c:\documents and settings\All Users\Application Data\Pinnacle
2008-11-23 20:22 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-23 00:03 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-22 01:03 --------- d-----w c:\program files\Java
2008-11-22 00:30 --------- d-----w c:\documents and settings\Administrator\Application Data\TuneUp Software
2008-11-22 00:29 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-22 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 577024 bytes )
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

2002-12-31 13:00 360448 0601f83f6784c220ee302f03f702316e c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-21_21.19.40.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 20:50:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_70c.dat
+ 2009-01-21 20:51:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_d38.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2008-09-02 15:05 398776 --a------ c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-16 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-12-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Igre\\PES 2009\\pes2009.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Igre\\JSL\\JSL_PATCH_2009.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 3xHybrid;Pinnacle PCTV 110i service;c:\windows\system32\drivers\3xHybrid.sys [2008-11-29 827008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-21 15504]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-21 170640]
S3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2008-11-29 6400]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/intl/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\suqtakhz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-21 21:50:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,f0,c8,03,2e,28,
01,ff,86,e2,63,26,f1,3f,c8,ff,68,bd,e8,ef,47,9d,c1,9b,ab,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,dd,d6,b1,98,ab,
64,b6,a4,6a,9c,d6,61,af,45,84,18,32,85,ea,ef,50,8f,41,48,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,cb,77,09,eb,45,
5f,0c,08,ff,7c,85,e0,43,d4,0e,fe,dd,df,b4,02,01,cc,9c,c1,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,95,2b,96,a8,f9,
e6,c6,d6,86,8c,21,01,be,91,eb,e7,7b,10,9a,b6,74,c4,34,23,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ab,79,0d,25,0f,
b5,1a,04,f5,1d,4d,73,a8,13,5c,05,78,55,b7,b9,74,93,ae,d1,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,4e,21,25,bf,dd,
bd,7e,be,df,20,58,62,78,6b,cf,c8,82,51,9b,9b,90,77,86,40,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,3c,d4,68,79,dd,
d5,23,f8,fb,a7,78,e6,12,2f,9a,ea,ee,e7,a7,df,38,ee,e2,10,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,dc,ab,3d,4c,39,
45,15,fa,01,3a,48,fc,e8,04,4a,f1,47,5f,df,f4,31,bc,e4,9d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,9a,59,cb,8c,69,
b4,0b,ec,f6,0f,4e,58,98,5b,89,c9,fa,17,c0,ff,d1,88,a2,9d,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c5,82,21,6e,2f,
9c,48,b9,3d,ce,ea,26,2d,45,aa,78,f4,c3,e8,32,99,01,0c,a0,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,3b,73,17,22,9e,
ec,c3,b2,2a,b7,cc,b5,b9,7f,41,e7,d8,88,69,ab,a7,a5,a0,01,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,5a,cc,8b,56,e0,
05,8b,38,6c,43,2d,1e,aa,22,2f,9c,0a,fa,ac,74,7d,b3,25,c9,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-21 21:55:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 20:55:45
ComboFix2.txt 2009-01-21 20:20:46

Pre-Run: 1,250,951,168 bytes free
Post-Run: 1,238,773,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

296

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Da li sada NOD detektuje nešto?

offline
  • Pridružio: 21 Jan 2009
  • Poruke: 6

dr_Bora ::Da li sada NOD detektuje nešto?

Ne...ne iskace nista vise... Very Happy


stavicu jos samo full sistem scan sutra,pa cu taman videti da li javlja nesto Smile

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Javi sutra rezultate skeniranja pa ćeš dobiti još jedno uputstvo za kraj.

offline
  • Pridružio: 21 Jan 2009
  • Poruke: 6

Skenirao ga,i opet mi bio naso user32.dll,medjutim sad samo samo isao na delete i obrisao se Smile,restartovao sam racunar,odradio custom scan na taj folder gde je on i sve je cisto Very Happy

Sta sad ?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore




I to je to.

Ko je trenutno na forumu
 

Ukupno su 553 korisnika na forumu :: 31 registrovanih, 6 sakrivenih i 516 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 1567 - dana 15 Jul 2016 19:18

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., bobanrakidjic, borko_marjanovic, cole77, d.arsenal321, Dicus, Dorcolac, flash12, FOX2, goxin, ibssa, ivance95, joca83, Kaplar2, Marko Marković, matorigile, mocnijogurt, nradukic, Recce, ribar.ivan, Sasa Pavlovic, slonic_tonic, suponik, t84dar, Toni, Trpe Grozni, USSVoyager, vlad44, yamato, zoranlik