Zarazen MSN, ima li pomoci?

Zarazen MSN, ima li pomoci?

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:47 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\asuskbservice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\USBScan\USBScan.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Admin\Desktop\commd\manutd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {56A9366C-793C-4283-8B40-22CD2F2B5E03} - C:\WINDOWS\system32\rbgrc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\windows\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [USBScan.exe] C:\Program Files\USBScan\USBScan.exe -Hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7321 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

ComboFix 08-11-02.05 - Admin 2008-11-03 17:00:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\Admin\Application Data\urlredir.cfg
c:\documents and settings\Admin\Favorites\Download programs.url
c:\documents and settings\Admin\Favorites\Games.url
c:\documents and settings\Admin\Favorites\Translator.url
c:\documents and settings\Admin\Favorites\Videos.url
c:\program files\laughnetwork
c:\program files\laughnetwork\Temp\license.txt
c:\program files\laughnetwork\Uninst.exe
c:\program files\laughnetwork\update.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
c:\windows\system32\rbgrc.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-11-03 12:44 . 2008-11-03 12:44 250 --a------ c:\windows\gmer.ini
2008-10-24 08:58 . 2008-10-24 08:58 93,184 --a------ c:\windows\system32\rbgrc.dll
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\program files\Winamp
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\Winamp
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a------ c:\windows\system32\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a------ c:\windows\system32\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a------ c:\windows\system32\wshirda.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-10-13 08:53 . 2008-10-13 08:53 <DIR> d-------- c:\program files\AGI
2008-10-08 11:13 . 2008-10-08 13:34 <DIR> d--hs---- C:\INCINERATE
2008-10-08 11:02 . 2008-10-08 11:02 <DIR> d-------- c:\program files\iolo
2008-10-08 11:02 . 2002-06-04 15:48 309,248 --a------ c:\windows\system32\Incinerator.dll
2008-10-07 09:46 . 2008-10-07 09:46 <DIR> d-------- c:\documents and settings\Admin\Application Data\fltk.org
2008-10-04 15:49 . 2008-10-04 16:46 <DIR> d-------- c:\program files\Download Direct

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 16:07 --------- d-----w c:\documents and settings\Admin\Application Data\IDM
2008-11-03 16:01 --------- d-----w c:\documents and settings\Admin\Application Data\DMCache
2008-11-01 09:14 --------- d-----w c:\documents and settings\Admin\Application Data\MegauploadToolbar
2008-10-29 10:59 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-10-22 13:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 13:45 --------- d-----w c:\program files\Java
2008-10-22 08:48 --------- d-----w c:\program files\KONAMI
2008-10-17 12:34 --------- d-----w c:\program files\nLite
2008-10-14 07:00 --------- d-----w c:\program files\Webshots
2008-10-10 08:33 --------- d-----w c:\program files\Opera
2008-10-07 13:19 --------- d-----w c:\program files\Pcsx2
2008-10-07 08:02 --------- d-----w c:\program files\MemTurbo 4
2008-10-07 08:02 --------- d-----w c:\program files\Internet Download Manager
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\BitTorrent
2008-09-27 08:36 --------- d-----w c:\program files\Sun
2008-09-27 07:02 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-25 11:44 --------- d-----w c:\program files\Easy GIF Animator
2008-09-23 14:28 --------- d-----w c:\program files\Advanced GIF Animator
2008-09-23 14:20 --------- d-----w c:\program files\ACE Photo Frame
2008-09-23 08:21 --------- d-----w c:\program files\DAP
2008-09-23 08:20 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-09-23 08:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-22 12:36 --------- d-----w c:\program files\Paragon Software
2008-09-22 06:59 --------- d-----w c:\program files\MegauploadToolbar
2008-09-20 07:05 --------- d-----w c:\documents and settings\Admin\Application Data\EmailNotifier
2008-09-19 13:32 --------- d-----w c:\documents and settings\Admin\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-09-19 13:21 --------- d-----w c:\program files\Megaupload
2008-09-19 13:21 --------- d-----w c:\documents and settings\Admin\Application Data\InstallShield
2008-09-16 13:32 --------- d-----w c:\program files\Yahoo!
2008-09-16 13:31 --------- d-----w c:\program files\ScreenVCR
2008-09-16 13:31 --------- d-----w c:\program files\LimeWire
2008-09-16 13:31 --------- d-----w c:\program files\Gabest
2008-09-16 13:30 --------- d-----w c:\program files\Runtime Software
2008-09-16 13:25 --------- d-----w c:\program files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\program files\Common Files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-09-15 08:41 --------- d-----w c:\program files\SpeedOptimizer
2008-09-15 08:41 --------- d-----w c:\documents and settings\Admin\Application Data\SpeedBit
2008-09-13 12:24 --------- d-----w c:\program files\Common Files\xing shared
2008-09-13 12:23 --------- d-----w c:\program files\Common Files\Real
2008-09-11 08:41 --------- d-----w c:\program files\USBScan
2008-09-10 12:02 --------- dc-h--w c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-10 11:42 43 ----a-w c:\documents and settings\Admin\Application Data\svighost.dll
2008-09-10 11:36 --------- d-----w c:\program files\GordianKnot
2008-09-10 11:36 --------- d-----w c:\program files\DivXCodec
2008-09-03 10:24 --------- d-----w c:\program files\YouTube Downloader 3000
2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg
2007-11-19 09:39 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2007-09-19 14:17 81,920 ----a-w c:\documents and settings\Admin\Application Data\ezpinst.exe
2008-07-18 15:01 1,071,648 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-18 15:01 24,864 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A9366C-793C-4283-8B40-22CD2F2B5E03}]
2008-10-24 08:58 93184 --a------ c:\windows\system32\rbgrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
2008-08-04 21:44 1947080 --a------ c:\progra~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-27 1576176]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-23 2607616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2004-04-06 106496]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"USBScan.exe"="c:\program files\USBScan\USBScan.exe" [2008-06-29 1261056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SiSPower"="SiSPower.dll" [2006-08-22 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"GreyMSIAds"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2008-06-19 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-27 08:02 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=share

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^MemTurbo.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
--a------ 2007-09-16 23:46 1343488 c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-09-23 11:06 2607616 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Netlogon"=3 (0x3)
"BITS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"anvshell"=anvshell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12350:TCP"= 12350:TCP:NortonAV
"13146:TCP"= 13146:TCP:NortonAV
"18737:TCP"= 18737:TCP:NortonAV
"12750:TCP"= 12750:TCP:NortonAV
"17584:TCP"= 17584:TCP:NortonAV
"18435:TCP"= 18435:TCP:NortonAV
"15080:TCP"= 15080:TCP:NortonAV
"18791:TCP"= 18791:TCP:NortonAV
"17014:TCP"= 17014:TCP:NortonAV
"17285:TCP"= 17285:TCP:NortonAV
"13405:TCP"= 13405:TCP:NortonAV
"17225:TCP"= 17225:TCP:NortonAV
"16363:TCP"= 16363:TCP:NortonAV
"16739:TCP"= 16739:TCP:NortonAV
"16335:TCP"= 16335:TCP:NortonAV
"18913:TCP"= 18913:TCP:NortonAV
"17031:TCP"= 17031:TCP:NortonAV
"12429:TCP"= 12429:TCP:NortonAV
"13744:TCP"= 13744:TCP:NortonAV
"13153:TCP"= 13153:TCP:NortonAV
"16872:TCP"= 16872:TCP:NortonAV
"15884:TCP"= 15884:TCP:NortonAV
"12007:TCP"= 12007:TCP:NortonAV
"16663:TCP"= 16663:TCP:NortonAV
"12435:TCP"= 12435:TCP:NortonAV
"12690:TCP"= 12690:TCP:NortonAV
"17291:TCP"= 17291:TCP:NortonAV
"12301:TCP"= 12301:TCP:NortonAV
"18840:TCP"= 18840:TCP:NortonAV
"12858:TCP"= 12858:TCP:NortonAV
"18344:TCP"= 18344:TCP:NortonAV
"17517:TCP"= 17517:TCP:NortonAV
"13371:TCP"= 13371:TCP:NortonAV
"16901:TCP"= 16901:TCP:NortonAV
"18285:TCP"= 18285:TCP:NortonAV
"18087:TCP"= 18087:TCP:NortonAV
"16587:TCP"= 16587:TCP:NortonAV
"14839:TCP"= 14839:TCP:NortonAV
"14984:TCP"= 14984:TCP:NortonAV
"17824:TCP"= 17824:TCP:NortonAV
"15822:TCP"= 15822:TCP:NortonAV
"12893:TCP"= 12893:TCP:NortonAV
"18406:TCP"= 18406:TCP:NortonAV
"16767:TCP"= 16767:TCP:NortonAV
"13361:TCP"= 13361:TCP:NortonAV
"15180:TCP"= 15180:TCP:NortonAV
"14253:TCP"= 14253:TCP:NortonAV
"18530:TCP"= 18530:TCP:NortonAV
"12543:TCP"= 12543:TCP:NortonAV
"13341:TCP"= 13341:TCP:NortonAV
"13385:TCP"= 13385:TCP:NortonAV
"16693:TCP"= 16693:TCP:NortonAV
"12357:TCP"= 12357:TCP:NortonAV
"14643:TCP"= 14643:TCP:NortonAV
"16617:TCP"= 16617:TCP:NortonAV
"13912:TCP"= 13912:TCP:NortonAV
"15165:TCP"= 15165:TCP:NortonAV
"12476:TCP"= 12476:TCP:NortonAV
"13252:TCP"= 13252:TCP:NortonAV
"13833:TCP"= 13833:TCP:NortonAV
"13461:TCP"= 13461:TCP:NortonAV
"16607:TCP"= 16607:TCP:NortonAV
"12983:TCP"= 12983:TCP:NortonAV
"12465:TCP"= 12465:TCP:NortonAV
"15817:TCP"= 15817:TCP:NortonAV
"15969:TCP"= 15969:TCP:NortonAV
"12729:TCP"= 12729:TCP:NortonAV
"17582:TCP"= 17582:TCP:NortonAV
"17818:TCP"= 17818:TCP:NortonAV
"15964:TCP"= 15964:TCP:NortonAV
"18685:TCP"= 18685:TCP:NortonAV
"15451:TCP"= 15451:TCP:NortonAV
"15637:TCP"= 15637:TCP:NortonAV
"17057:TCP"= 17057:TCP:NortonAV
"12212:TCP"= 12212:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"8000:UDP"= 8000:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"81:TCP"= 81:TCP:Axon Virtual PBX Web Server

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\Drivers\Achernar.sys [2005-09-23 16855]
R0 kqquysbs;kqquysbs;c:\windows\system32\drivers\kqquysbs.sys [2001-08-23 23424]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\Drivers\Aldebaran.sys [2005-09-23 21808]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [2004-07-08 233816]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 24064]
S2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-03 14336]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\gt680x.sys [ ]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [ ]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 Service_Desktop;Desktop;c:\program files\Free-Soft\Virtual Desktop\Desktop.exe [2004-08-20 414208]
S3 SIWIO;SIWIO;c:\windows\TEMP\SiwIo.sys [ ]
S3 TridDev;Trident Device;c:\windows\system32\DRIVERS\Triddev.sys [2005-04-26 3584]
S3 tridhid;tridhid - USB 2.0 HID Driver;c:\windows\system32\drivers\tridhid.sys [2006-09-04 6656]
S3 TridVid;PlayTV 405 Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2006-09-11 138880]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be02e21-d4ac-11dc-ac90-0015f2b0b221}]
\Shell\AutoRun\command - f:\.\ShowModem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []

2008-10-07 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2007-08-01 12:56]

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\ [2008-10-22 15:01]

2008-09-26 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2007-08-01 12:39]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
ShellExecuteHooks-{097F10A7-487F-4457-AB1F-827C59479A72} - (no file)
MSConfigStartUp-DownloadAccelerator - c:\program files\DAP\DAP.EXE
MSConfigStartUp-KiweeHook - c:\program files\Kiwee Toolbar2\1.3.118\kwtbaim.exe
MSConfigStartUp-SmartRAM - c:\program files\IObit\Advanced WindowsCare V2\MemCleaner.exe
MSConfigStartUp-SpeedBitVideoAccelerator - c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\1kxavb3l.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.toggle.com/index.php?rvs=hompag
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-03 17:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\SpamExpertsLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\asuskbservice.exe
c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Opera\opera.exe
c:\program files\Winamp\winamp.exe
.
**************************************************************************
.
Completion time: 2008-11-03 17:15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 16:14:56

Pre-Run: 13,014,601,728 bytes free
Post-Run: 13,065,625,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /tutag=e1a364 /kernel=tukernel.exe /bootlog

394 --- E O F --- 2008-10-03 14:57:15

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Skini program sa sledećeg linka: http://amf.mycity.rs/personal/dr_Bora/Win32.Rjump_Port_Exception_Cleaner.exe

Pokreni ga dvoklikom i isprati postupak do kraja (potrajaće svega 1-2 sekunde).



-------------------------------------------------------------------------------------



Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys

Driver::
kqquysbs

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A9366C-793C-4283-8B40-22CD2F2B5E03}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be02e21-d4ac-11dc-ac90-0015f2b0b221}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

ComboFix 08-11-03.04 - Admin 2008-11-04 9:07:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys
c:\windows\system32\rbgrc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KQQUYSBS
-------\Service_kqquysbs


((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 12:44 . 2008-11-03 12:44 250 --a------ c:\windows\gmer.ini
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\program files\Winamp
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\Winamp
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a------ c:\windows\system32\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a------ c:\windows\system32\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a------ c:\windows\system32\wshirda.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-10-13 08:53 . 2008-10-13 08:53 <DIR> d-------- c:\program files\AGI
2008-10-08 11:13 . 2008-10-08 13:34 <DIR> d--hs---- C:\INCINERATE
2008-10-08 11:02 . 2008-10-08 11:02 <DIR> d-------- c:\program files\iolo
2008-10-08 11:02 . 2002-06-04 15:48 309,248 --a------ c:\windows\system32\Incinerator.dll
2008-10-07 09:46 . 2008-10-07 09:46 <DIR> d-------- c:\documents and settings\Admin\Application Data\fltk.org
2008-10-04 15:49 . 2008-10-04 16:46 <DIR> d-------- c:\program files\Download Direct

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 08:44 --------- d-----w c:\documents and settings\Admin\Application Data\IDM
2008-11-04 07:58 --------- d-----w c:\documents and settings\Admin\Application Data\DMCache
2008-11-01 09:14 --------- d-----w c:\documents and settings\Admin\Application Data\MegauploadToolbar
2008-10-29 10:59 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-10-22 13:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 13:45 --------- d-----w c:\program files\Java
2008-10-22 08:48 --------- d-----w c:\program files\KONAMI
2008-10-17 12:34 --------- d-----w c:\program files\nLite
2008-10-14 07:00 --------- d-----w c:\program files\Webshots
2008-10-10 08:33 --------- d-----w c:\program files\Opera
2008-10-07 13:19 --------- d-----w c:\program files\Pcsx2
2008-10-07 08:02 --------- d-----w c:\program files\MemTurbo 4
2008-10-07 08:02 --------- d-----w c:\program files\Internet Download Manager
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\BitTorrent
2008-09-27 08:36 --------- d-----w c:\program files\Sun
2008-09-27 07:02 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-25 11:44 --------- d-----w c:\program files\Easy GIF Animator
2008-09-23 14:28 --------- d-----w c:\program files\Advanced GIF Animator
2008-09-23 14:20 --------- d-----w c:\program files\ACE Photo Frame
2008-09-23 08:21 --------- d-----w c:\program files\DAP
2008-09-23 08:20 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-09-23 08:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-22 12:36 --------- d-----w c:\program files\Paragon Software
2008-09-22 06:59 --------- d-----w c:\program files\MegauploadToolbar
2008-09-20 07:05 --------- d-----w c:\documents and settings\Admin\Application Data\EmailNotifier
2008-09-19 13:32 --------- d-----w c:\documents and settings\Admin\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-09-19 13:21 --------- d-----w c:\program files\Megaupload
2008-09-19 13:21 --------- d-----w c:\documents and settings\Admin\Application Data\InstallShield
2008-09-16 13:32 --------- d-----w c:\program files\Yahoo!
2008-09-16 13:31 --------- d-----w c:\program files\ScreenVCR
2008-09-16 13:31 --------- d-----w c:\program files\LimeWire
2008-09-16 13:31 --------- d-----w c:\program files\Gabest
2008-09-16 13:30 --------- d-----w c:\program files\Runtime Software
2008-09-16 13:25 --------- d-----w c:\program files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\program files\Common Files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-09-15 08:41 --------- d-----w c:\program files\SpeedOptimizer
2008-09-15 08:41 --------- d-----w c:\documents and settings\Admin\Application Data\SpeedBit
2008-09-13 12:24 --------- d-----w c:\program files\Common Files\xing shared
2008-09-13 12:23 --------- d-----w c:\program files\Common Files\Real
2008-09-11 08:41 --------- d-----w c:\program files\USBScan
2008-09-10 12:02 --------- dc-h--w c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-10 11:36 --------- d-----w c:\program files\GordianKnot
2008-09-10 11:36 --------- d-----w c:\program files\DivXCodec
2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg
2007-11-19 09:39 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2007-09-19 14:17 81,920 ----a-w c:\documents and settings\Admin\Application Data\ezpinst.exe
2008-07-18 15:01 1,071,648 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-18 15:01 24,864 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-03_17.13.50.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-03 08:03:44 79,118 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-04 08:44:31 79,118 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-03 08:03:44 457,622 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-04 08:44:31 457,622 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
2008-08-04 21:44 1947080 --a------ c:\progra~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-27 1576176]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-23 2607616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2004-04-06 106496]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"USBScan.exe"="c:\program files\USBScan\USBScan.exe" [2008-06-29 1261056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SiSPower"="SiSPower.dll" [2006-08-22 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"GreyMSIAds"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2008-06-19 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-27 08:02 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=share

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^MemTurbo.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
--a------ 2007-09-16 23:46 1343488 c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-09-23 11:06 2607616 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Netlogon"=3 (0x3)
"BITS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"anvshell"=anvshell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"8000:UDP"= 8000:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"81:TCP"= 81:TCP:Axon Virtual PBX Web Server

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\Drivers\Achernar.sys [2005-09-23 16855]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\Drivers\Aldebaran.sys [2005-09-23 21808]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [2004-07-08 233816]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 24064]
S2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-03 14336]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\gt680x.sys [ ]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [ ]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 Service_Desktop;Desktop;c:\program files\Free-Soft\Virtual Desktop\Desktop.exe [2004-08-20 414208]
S3 SIWIO;SIWIO;c:\windows\TEMP\SiwIo.sys [ ]
S3 TridDev;Trident Device;c:\windows\system32\DRIVERS\Triddev.sys [2005-04-26 3584]
S3 tridhid;tridhid - USB 2.0 HID Driver;c:\windows\system32\drivers\tridhid.sys [2006-09-04 6656]
S3 TridVid;PlayTV 405 Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2006-09-11 138880]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

*Newly Created Service* - KQQUYSBS
.
Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []

2008-10-07 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2007-08-01 12:56]

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\ [2008-10-22 15:01]

2008-09-26 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2007-08-01 12:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-04 09:43:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\SpamExpertsLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\asuskbservice.exe
c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
c:\program files\Winamp\winamp.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-11-04 9:49:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-04 08:49:26
ComboFix2.txt 2008-11-03 16:15:12

Pre-Run: 13,173,067,776 bytes free
Post-Run: 13,064,261,632 bytes free

295 --- E O F --- 2008-10-03 14:57:15

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kakvo je sada stanje?

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Nije mi se niko zalio da im je nesto stizalo ,dali to zanci da je rijesen problem ?.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Po ovome što vidim, kompjuter je čist.

Uradi sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore




Ukoliko bude nekih problema... Znaš gde smo.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Hvala puno ,mnogo mi bolje radi sad i komp i koliko mogu da primijetim nema mi sad ni kocenja na MSN ,sve sad OK .

Ko je trenutno na forumu
 

Ukupno su 808 korisnika na forumu :: 60 registrovanih, 5 sakrivenih i 743 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: aboris, Apok, babaroga, Bubimir, chavaledeni, comi_pfc, cvrle312, Dannyboy, darkangel, darkstar101, Denaya, Djokislav, doktor097, dule10savic, eulereix, gagidjuric, Georgius, Griffon vulture, kaptain, komkom, Korisnik038, krlebgd77, ladro, Lord Nem, Mimikrija, misa1xx, Misha V, Miskohd, nemkea71, nevjerna beba, Niko Bitan, ofbeyond, pein, perica5, Ray1973, riva, robert1979, RobinHood12, savaskytec, Sirius, Skywhaler, slonic_tonic, Smd, srbijaiznadsvega, Srky Boy, Srle993, stalja, Stuka76, styg, Tas011, Tenk, vasa.93, Vendox, Viceroy, vobo, Warpig, wizzardone, zhuki8, |_MeD_|, 125