Zarazen MSN, ima li pomoci?

Zarazen MSN, ima li pomoci?

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:47 PM, on 11/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\asuskbservice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\USBScan\USBScan.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Admin\Desktop\commd\manutd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F1 - win.ini: load=c:\01comm32\bin\01comm32.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {56A9366C-793C-4283-8B40-22CD2F2B5E03} - C:\WINDOWS\system32\rbgrc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\windows\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [USBScan.exe] C:\Program Files\USBScan\USBScan.exe -Hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spamexpertslsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7321 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

ComboFix 08-11-02.05 - Admin 2008-11-03 17:00:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\inst.exe
c:\documents and settings\Admin\Application Data\urlredir.cfg
c:\documents and settings\Admin\Favorites\Download programs.url
c:\documents and settings\Admin\Favorites\Games.url
c:\documents and settings\Admin\Favorites\Translator.url
c:\documents and settings\Admin\Favorites\Videos.url
c:\program files\laughnetwork
c:\program files\laughnetwork\Temp\license.txt
c:\program files\laughnetwork\Uninst.exe
c:\program files\laughnetwork\update.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
c:\windows\system32\rbgrc.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-11-03 12:44 . 2008-11-03 12:44 250 --a------ c:\windows\gmer.ini
2008-10-24 08:58 . 2008-10-24 08:58 93,184 --a------ c:\windows\system32\rbgrc.dll
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\program files\Winamp
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\Winamp
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a------ c:\windows\system32\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a------ c:\windows\system32\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a------ c:\windows\system32\wshirda.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-10-13 08:53 . 2008-10-13 08:53 <DIR> d-------- c:\program files\AGI
2008-10-08 11:13 . 2008-10-08 13:34 <DIR> d--hs---- C:\INCINERATE
2008-10-08 11:02 . 2008-10-08 11:02 <DIR> d-------- c:\program files\iolo
2008-10-08 11:02 . 2002-06-04 15:48 309,248 --a------ c:\windows\system32\Incinerator.dll
2008-10-07 09:46 . 2008-10-07 09:46 <DIR> d-------- c:\documents and settings\Admin\Application Data\fltk.org
2008-10-04 15:49 . 2008-10-04 16:46 <DIR> d-------- c:\program files\Download Direct

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 16:07 --------- d-----w c:\documents and settings\Admin\Application Data\IDM
2008-11-03 16:01 --------- d-----w c:\documents and settings\Admin\Application Data\DMCache
2008-11-01 09:14 --------- d-----w c:\documents and settings\Admin\Application Data\MegauploadToolbar
2008-10-29 10:59 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-10-22 13:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 13:45 --------- d-----w c:\program files\Java
2008-10-22 08:48 --------- d-----w c:\program files\KONAMI
2008-10-17 12:34 --------- d-----w c:\program files\nLite
2008-10-14 07:00 --------- d-----w c:\program files\Webshots
2008-10-10 08:33 --------- d-----w c:\program files\Opera
2008-10-07 13:19 --------- d-----w c:\program files\Pcsx2
2008-10-07 08:02 --------- d-----w c:\program files\MemTurbo 4
2008-10-07 08:02 --------- d-----w c:\program files\Internet Download Manager
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\BitTorrent
2008-09-27 08:36 --------- d-----w c:\program files\Sun
2008-09-27 07:02 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-25 11:44 --------- d-----w c:\program files\Easy GIF Animator
2008-09-23 14:28 --------- d-----w c:\program files\Advanced GIF Animator
2008-09-23 14:20 --------- d-----w c:\program files\ACE Photo Frame
2008-09-23 08:21 --------- d-----w c:\program files\DAP
2008-09-23 08:20 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-09-23 08:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-22 12:36 --------- d-----w c:\program files\Paragon Software
2008-09-22 06:59 --------- d-----w c:\program files\MegauploadToolbar
2008-09-20 07:05 --------- d-----w c:\documents and settings\Admin\Application Data\EmailNotifier
2008-09-19 13:32 --------- d-----w c:\documents and settings\Admin\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-09-19 13:21 --------- d-----w c:\program files\Megaupload
2008-09-19 13:21 --------- d-----w c:\documents and settings\Admin\Application Data\InstallShield
2008-09-16 13:32 --------- d-----w c:\program files\Yahoo!
2008-09-16 13:31 --------- d-----w c:\program files\ScreenVCR
2008-09-16 13:31 --------- d-----w c:\program files\LimeWire
2008-09-16 13:31 --------- d-----w c:\program files\Gabest
2008-09-16 13:30 --------- d-----w c:\program files\Runtime Software
2008-09-16 13:25 --------- d-----w c:\program files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\program files\Common Files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-09-15 08:41 --------- d-----w c:\program files\SpeedOptimizer
2008-09-15 08:41 --------- d-----w c:\documents and settings\Admin\Application Data\SpeedBit
2008-09-13 12:24 --------- d-----w c:\program files\Common Files\xing shared
2008-09-13 12:23 --------- d-----w c:\program files\Common Files\Real
2008-09-11 08:41 --------- d-----w c:\program files\USBScan
2008-09-10 12:02 --------- dc-h--w c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-10 11:42 43 ----a-w c:\documents and settings\Admin\Application Data\svighost.dll
2008-09-10 11:36 --------- d-----w c:\program files\GordianKnot
2008-09-10 11:36 --------- d-----w c:\program files\DivXCodec
2008-09-03 10:24 --------- d-----w c:\program files\YouTube Downloader 3000
2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg
2007-11-19 09:39 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2007-09-19 14:17 81,920 ----a-w c:\documents and settings\Admin\Application Data\ezpinst.exe
2008-07-18 15:01 1,071,648 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-18 15:01 24,864 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A9366C-793C-4283-8B40-22CD2F2B5E03}]
2008-10-24 08:58 93184 --a------ c:\windows\system32\rbgrc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
2008-08-04 21:44 1947080 --a------ c:\progra~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-27 1576176]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-23 2607616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2004-04-06 106496]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"USBScan.exe"="c:\program files\USBScan\USBScan.exe" [2008-06-29 1261056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SiSPower"="SiSPower.dll" [2006-08-22 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"GreyMSIAds"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2008-06-19 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-27 08:02 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=share

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^MemTurbo.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
--a------ 2007-09-16 23:46 1343488 c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-09-23 11:06 2607616 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Netlogon"=3 (0x3)
"BITS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"anvshell"=anvshell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12350:TCP"= 12350:TCP:NortonAV
"13146:TCP"= 13146:TCP:NortonAV
"18737:TCP"= 18737:TCP:NortonAV
"12750:TCP"= 12750:TCP:NortonAV
"17584:TCP"= 17584:TCP:NortonAV
"18435:TCP"= 18435:TCP:NortonAV
"15080:TCP"= 15080:TCP:NortonAV
"18791:TCP"= 18791:TCP:NortonAV
"17014:TCP"= 17014:TCP:NortonAV
"17285:TCP"= 17285:TCP:NortonAV
"13405:TCP"= 13405:TCP:NortonAV
"17225:TCP"= 17225:TCP:NortonAV
"16363:TCP"= 16363:TCP:NortonAV
"16739:TCP"= 16739:TCP:NortonAV
"16335:TCP"= 16335:TCP:NortonAV
"18913:TCP"= 18913:TCP:NortonAV
"17031:TCP"= 17031:TCP:NortonAV
"12429:TCP"= 12429:TCP:NortonAV
"13744:TCP"= 13744:TCP:NortonAV
"13153:TCP"= 13153:TCP:NortonAV
"16872:TCP"= 16872:TCP:NortonAV
"15884:TCP"= 15884:TCP:NortonAV
"12007:TCP"= 12007:TCP:NortonAV
"16663:TCP"= 16663:TCP:NortonAV
"12435:TCP"= 12435:TCP:NortonAV
"12690:TCP"= 12690:TCP:NortonAV
"17291:TCP"= 17291:TCP:NortonAV
"12301:TCP"= 12301:TCP:NortonAV
"18840:TCP"= 18840:TCP:NortonAV
"12858:TCP"= 12858:TCP:NortonAV
"18344:TCP"= 18344:TCP:NortonAV
"17517:TCP"= 17517:TCP:NortonAV
"13371:TCP"= 13371:TCP:NortonAV
"16901:TCP"= 16901:TCP:NortonAV
"18285:TCP"= 18285:TCP:NortonAV
"18087:TCP"= 18087:TCP:NortonAV
"16587:TCP"= 16587:TCP:NortonAV
"14839:TCP"= 14839:TCP:NortonAV
"14984:TCP"= 14984:TCP:NortonAV
"17824:TCP"= 17824:TCP:NortonAV
"15822:TCP"= 15822:TCP:NortonAV
"12893:TCP"= 12893:TCP:NortonAV
"18406:TCP"= 18406:TCP:NortonAV
"16767:TCP"= 16767:TCP:NortonAV
"13361:TCP"= 13361:TCP:NortonAV
"15180:TCP"= 15180:TCP:NortonAV
"14253:TCP"= 14253:TCP:NortonAV
"18530:TCP"= 18530:TCP:NortonAV
"12543:TCP"= 12543:TCP:NortonAV
"13341:TCP"= 13341:TCP:NortonAV
"13385:TCP"= 13385:TCP:NortonAV
"16693:TCP"= 16693:TCP:NortonAV
"12357:TCP"= 12357:TCP:NortonAV
"14643:TCP"= 14643:TCP:NortonAV
"16617:TCP"= 16617:TCP:NortonAV
"13912:TCP"= 13912:TCP:NortonAV
"15165:TCP"= 15165:TCP:NortonAV
"12476:TCP"= 12476:TCP:NortonAV
"13252:TCP"= 13252:TCP:NortonAV
"13833:TCP"= 13833:TCP:NortonAV
"13461:TCP"= 13461:TCP:NortonAV
"16607:TCP"= 16607:TCP:NortonAV
"12983:TCP"= 12983:TCP:NortonAV
"12465:TCP"= 12465:TCP:NortonAV
"15817:TCP"= 15817:TCP:NortonAV
"15969:TCP"= 15969:TCP:NortonAV
"12729:TCP"= 12729:TCP:NortonAV
"17582:TCP"= 17582:TCP:NortonAV
"17818:TCP"= 17818:TCP:NortonAV
"15964:TCP"= 15964:TCP:NortonAV
"18685:TCP"= 18685:TCP:NortonAV
"15451:TCP"= 15451:TCP:NortonAV
"15637:TCP"= 15637:TCP:NortonAV
"17057:TCP"= 17057:TCP:NortonAV
"12212:TCP"= 12212:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"8000:UDP"= 8000:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"81:TCP"= 81:TCP:Axon Virtual PBX Web Server

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\Drivers\Achernar.sys [2005-09-23 16855]
R0 kqquysbs;kqquysbs;c:\windows\system32\drivers\kqquysbs.sys [2001-08-23 23424]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\Drivers\Aldebaran.sys [2005-09-23 21808]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [2004-07-08 233816]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 24064]
S2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-03 14336]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\gt680x.sys [ ]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [ ]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 Service_Desktop;Desktop;c:\program files\Free-Soft\Virtual Desktop\Desktop.exe [2004-08-20 414208]
S3 SIWIO;SIWIO;c:\windows\TEMP\SiwIo.sys [ ]
S3 TridDev;Trident Device;c:\windows\system32\DRIVERS\Triddev.sys [2005-04-26 3584]
S3 tridhid;tridhid - USB 2.0 HID Driver;c:\windows\system32\drivers\tridhid.sys [2006-09-04 6656]
S3 TridVid;PlayTV 405 Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2006-09-11 138880]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be02e21-d4ac-11dc-ac90-0015f2b0b221}]
\Shell\AutoRun\command - f:\.\ShowModem.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []

2008-10-07 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2007-08-01 12:56]

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\ [2008-10-22 15:01]

2008-09-26 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2007-08-01 12:39]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
ShellExecuteHooks-{097F10A7-487F-4457-AB1F-827C59479A72} - (no file)
MSConfigStartUp-DownloadAccelerator - c:\program files\DAP\DAP.EXE
MSConfigStartUp-KiweeHook - c:\program files\Kiwee Toolbar2\1.3.118\kwtbaim.exe
MSConfigStartUp-SmartRAM - c:\program files\IObit\Advanced WindowsCare V2\MemCleaner.exe
MSConfigStartUp-SpeedBitVideoAccelerator - c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\1kxavb3l.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.toggle.com/index.php?rvs=hompag
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-03 17:06:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\SpamExpertsLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\asuskbservice.exe
c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Opera\opera.exe
c:\program files\Winamp\winamp.exe
.
**************************************************************************
.
Completion time: 2008-11-03 17:15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 16:14:56

Pre-Run: 13,014,601,728 bytes free
Post-Run: 13,065,625,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /tutag=e1a364 /kernel=tukernel.exe /bootlog

394 --- E O F --- 2008-10-03 14:57:15

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Arrow Skini program sa sledećeg linka: http://amf.mycity.rs/personal/dr_Bora/Win32.Rjump_Port_Exception_Cleaner.exe

Pokreni ga dvoklikom i isprati postupak do kraja (potrajaće svega 1-2 sekunde).



-------------------------------------------------------------------------------------



Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys

Driver::
kqquysbs

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A9366C-793C-4283-8B40-22CD2F2B5E03}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4be02e21-d4ac-11dc-ac90-0015f2b0b221}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

ComboFix 08-11-03.04 - Admin 2008-11-04 9:07:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT 1:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Admin\Application Data\svighost.dll
c:\windows\system32\drivers\kqquysbs.sys
c:\windows\system32\rbgrc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KQQUYSBS
-------\Service_kqquysbs


((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-03 12:44 . 2008-11-03 12:44 250 --a------ c:\windows\gmer.ini
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\program files\Winamp
2008-10-22 14:57 . 2008-10-22 14:58 <DIR> d-------- c:\documents and settings\Admin\Application Data\Winamp
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a------ c:\windows\system32\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a------ c:\windows\system32\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a------ c:\windows\system32\wshirda.dll
2008-10-14 13:53 . 2004-08-03 23:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-10-13 08:53 . 2008-10-13 08:53 <DIR> d-------- c:\program files\AGI
2008-10-08 11:13 . 2008-10-08 13:34 <DIR> d--hs---- C:\INCINERATE
2008-10-08 11:02 . 2008-10-08 11:02 <DIR> d-------- c:\program files\iolo
2008-10-08 11:02 . 2002-06-04 15:48 309,248 --a------ c:\windows\system32\Incinerator.dll
2008-10-07 09:46 . 2008-10-07 09:46 <DIR> d-------- c:\documents and settings\Admin\Application Data\fltk.org
2008-10-04 15:49 . 2008-10-04 16:46 <DIR> d-------- c:\program files\Download Direct

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 08:44 --------- d-----w c:\documents and settings\Admin\Application Data\IDM
2008-11-04 07:58 --------- d-----w c:\documents and settings\Admin\Application Data\DMCache
2008-11-01 09:14 --------- d-----w c:\documents and settings\Admin\Application Data\MegauploadToolbar
2008-10-29 10:59 --------- d-----w c:\program files\TuneUp Utilities 2007
2008-10-22 13:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 13:45 --------- d-----w c:\program files\Java
2008-10-22 08:48 --------- d-----w c:\program files\KONAMI
2008-10-17 12:34 --------- d-----w c:\program files\nLite
2008-10-14 07:00 --------- d-----w c:\program files\Webshots
2008-10-10 08:33 --------- d-----w c:\program files\Opera
2008-10-07 13:19 --------- d-----w c:\program files\Pcsx2
2008-10-07 08:02 --------- d-----w c:\program files\MemTurbo 4
2008-10-07 08:02 --------- d-----w c:\program files\Internet Download Manager
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\LimeWire
2008-10-07 08:02 --------- d-----w c:\documents and settings\Admin\Application Data\BitTorrent
2008-09-27 08:36 --------- d-----w c:\program files\Sun
2008-09-27 07:02 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-25 11:44 --------- d-----w c:\program files\Easy GIF Animator
2008-09-23 14:28 --------- d-----w c:\program files\Advanced GIF Animator
2008-09-23 14:20 --------- d-----w c:\program files\ACE Photo Frame
2008-09-23 08:21 --------- d-----w c:\program files\DAP
2008-09-23 08:20 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-09-23 08:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-22 12:36 --------- d-----w c:\program files\Paragon Software
2008-09-22 06:59 --------- d-----w c:\program files\MegauploadToolbar
2008-09-20 07:05 --------- d-----w c:\documents and settings\Admin\Application Data\EmailNotifier
2008-09-19 13:32 --------- d-----w c:\documents and settings\Admin\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-09-19 13:22 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-09-19 13:21 --------- d-----w c:\program files\Megaupload
2008-09-19 13:21 --------- d-----w c:\documents and settings\Admin\Application Data\InstallShield
2008-09-16 13:32 --------- d-----w c:\program files\Yahoo!
2008-09-16 13:31 --------- d-----w c:\program files\ScreenVCR
2008-09-16 13:31 --------- d-----w c:\program files\LimeWire
2008-09-16 13:31 --------- d-----w c:\program files\Gabest
2008-09-16 13:30 --------- d-----w c:\program files\Runtime Software
2008-09-16 13:25 --------- d-----w c:\program files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\program files\Common Files\ACD Systems
2008-09-16 13:24 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-09-15 08:41 --------- d-----w c:\program files\SpeedOptimizer
2008-09-15 08:41 --------- d-----w c:\documents and settings\Admin\Application Data\SpeedBit
2008-09-13 12:24 --------- d-----w c:\program files\Common Files\xing shared
2008-09-13 12:23 --------- d-----w c:\program files\Common Files\Real
2008-09-11 08:41 --------- d-----w c:\program files\USBScan
2008-09-10 12:02 --------- dc-h--w c:\documents and settings\All Users\Application Data\{5A76C6B3-3FA8-46D0-AA81-62C3805E38BC}
2008-09-10 11:36 --------- d-----w c:\program files\GordianKnot
2008-09-10 11:36 --------- d-----w c:\program files\DivXCodec
2008-03-09 05:25 236 ---ha-w c:\program files\Common Files\dx.reg
2007-11-19 09:39 47,360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2007-09-19 14:17 81,920 ----a-w c:\documents and settings\Admin\Application Data\ezpinst.exe
2008-07-18 15:01 1,071,648 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-07-18 15:01 24,864 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-03_17.13.50.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-11-03 08:03:44 79,118 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-04 08:44:31 79,118 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-03 08:03:44 457,622 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-04 08:44:31 457,622 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-C39E-35F1D2A32EC8}]
2008-08-04 21:44 1947080 --a------ c:\progra~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}"= "c:\progra~1\MEGAUP~1\MEGAUP~1.DLL" [2008-08-04 1947080]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
[HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-27 1576176]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-09-23 2607616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2004-04-06 106496]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"USBScan.exe"="c:\program files\USBScan\USBScan.exe" [2008-06-29 1261056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"SiSPower"="SiSPower.dll" [2006-08-22 c:\windows\system32\SiSPower.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 c:\windows\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"GreyMSIAds"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuPinnedList"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoUserNameInStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2008-06-19 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS\\system32\\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-27 08:02 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=share

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^MemTurbo.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\MemTurbo.lnk
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLD.EXE]
--a------ 2007-09-16 23:46 1343488 c:\program files\Download Direct\DLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-09-23 11:06 2607616 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"Netlogon"=3 (0x3)
"BITS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"anvshell"=anvshell.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel
"8000:UDP"= 8000:UDP:Axon Virtual PBX RTP Incoming Audio (UDP)
"81:TCP"= 81:TCP:Axon Virtual PBX Web Server

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\Drivers\Achernar.sys [2005-09-23 16855]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\Drivers\Aldebaran.sys [2005-09-23 21808]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [2006-02-14 32768]
S1 ANVIOCTL;ANVIOCTL;c:\windows\system32\DRIVERS\anvioctl.sys [2004-07-08 233816]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 24064]
S2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-03 14336]
S3 GT680xNT;ColorPage-Vivid 1200XE;c:\windows\system32\drivers\gt680x.sys [ ]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\DRIVERS\HSFHWCD2.sys [ ]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 Service_Desktop;Desktop;c:\program files\Free-Soft\Virtual Desktop\Desktop.exe [2004-08-20 414208]
S3 SIWIO;SIWIO;c:\windows\TEMP\SiwIo.sys [ ]
S3 TridDev;Trident Device;c:\windows\system32\DRIVERS\Triddev.sys [2005-04-26 3584]
S3 tridhid;tridhid - USB 2.0 HID Driver;c:\windows\system32\drivers\tridhid.sys [2006-09-04 6656]
S3 TridVid;PlayTV 405 Analog Video;c:\windows\system32\DRIVERS\TridVid.sys [2006-09-11 138880]
S3 usbprint;Microsoft USB PRINTER Class;c:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 25856]

*Newly Created Service* - KQQUYSBS
.
Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []

2008-10-07 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2007-08-01 12:56]

2008-07-21 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\ [2008-10-22 15:01]

2008-09-26 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2007-08-01 12:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-04 09:43:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\SpamExpertsLSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\asuskbservice.exe
c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
c:\program files\Winamp\winamp.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-11-04 9:49:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-04 08:49:26
ComboFix2.txt 2008-11-03 16:15:12

Pre-Run: 13,173,067,776 bytes free
Post-Run: 13,064,261,632 bytes free

295 --- E O F --- 2008-10-03 14:57:15

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kakvo je sada stanje?

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Nije mi se niko zalio da im je nesto stizalo ,dali to zanci da je rijesen problem ?.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Po ovome što vidim, kompjuter je čist.

Uradi sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore




Ukoliko bude nekih problema... Znaš gde smo.

offline
  • MDVLAD 
  • Novi MyCity građanin
  • Pridružio: 20 Sep 2008
  • Poruke: 16

Hvala puno ,mnogo mi bolje radi sad i komp i koliko mogu da primijetim nema mi sad ni kocenja na MSN ,sve sad OK .

Ko je trenutno na forumu
 

Ukupno su 800 korisnika na forumu :: 36 registrovanih, 2 sakrivenih i 762 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aramis s, bojank, cemix, Dannyboy, draganca, dragoljub11987, flash12, Georgius, ILGromovnik, Ilija Cvorovic, Insan, krkalon, krlebgd77, LUDI, Marko Marković, mercedesamg, Milan A. Nikolic, milos.cbr, mushroom, nikoladim, novator, ostoja, panonski mornar, Pavac, Polemarchoi, shone34, Steeeefan, Tenk, vasa.93, VJ, Vl veliki, Vlada1389, Warhawk, wexy, Yellow Pinky