blokira racunar

1

blokira racunar

offline
  • Pridružio: 17 Nov 2009
  • Poruke: 8

Prvi put pisem ovde jer sam cuo da vi iz mrtvih dizete Very Happy... inace vam se ne bih ni javljao. salim se, ovo sam rekao kako mi ne bi zamjerili ako nisam sta dobro uradio)

Pocelo mi se desavati da mi blokira racunar i ja lijepo deinstaliram antivirus (avira) i sad mi kao bolje radi.

unaprijed zahvalan, vjerujem od sad vjerni smarac Wink




DDS (Ver_09-10-26.01) - NTFSx86
Run by ElektronS at 21:33:47.47 on Tue 11/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256.144 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\ElektronS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ba/
uSearch Page = hxxp://search.live.com
mSearchAssistant = hxxp://search.live.com/sphome.aspx
mWinlogon: Userinit=userinit.exe,autorun.bat
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [amva] c:\windows\system32\amvo.exe
uRun: [SkinClock] c:\program files\atomic alarm clock\AtomicAlarmClock.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [run32] c:\win\lsass.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\elektr~1\applic~1\mozilla\firefox\profiles\hmw36r6o.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-15 14:09:23 0 d-----w- c:\program files\uTorrent
2009-11-15 14:09:02 0 d-----w- c:\docume~1\elektr~1\applic~1\uTorrent
2009-11-15 09:41:58 0 d-----w- c:\program files\Atomic Alarm Clock
2009-11-15 09:24:09 0 d-s---w- c:\documents and settings\elektrons\UserData
2009-11-14 22:35:44 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-14 19:57:31 0 d-----w- c:\documents and settings\elektrons\Tracing
2009-11-14 19:37:11 0 d-----w- c:\program files\common files\Windows Live
2009-11-14 18:00:30 417677 ----a-w- c:\documents and settings\elektrons\15052007(001).jpg

==================== Find3M ====================

2006-11-13 21:29:06 162064 ----a-w- c:\windows\inf\klif.sys
2006-11-13 19:16:26 61072 ----a-w- c:\windows\inf\klick.sys
2006-11-13 19:16:26 59536 ----a-w- c:\windows\inf\klin.sys
2006-02-15 18:59:12 15496 ----a-w- c:\windows\inf\klop.sys
2006-02-13 14:24:10 20699 ----a-w- c:\windows\inf\kl1.sys
2005-11-13 19:27:56 163644 ----a-w- c:\windows\inf\secdrv.sys
2005-10-21 01:47:06 12800 ----a-w- c:\windows\inf\usb8023x.sys
2005-10-21 01:47:06 12800 ----a-w- c:\windows\inf\usb8023.sys
2005-10-21 01:47:04 30592 ----a-w- c:\windows\inf\rndismpx.sys
2005-10-21 01:47:04 30592 ----a-w- c:\windows\inf\rndismp.sys
2005-08-15 09:08:26 5888 ----a-w- c:\windows\inf\imagedrv.sys
2005-08-15 09:08:26 127488 ----a-w- c:\windows\inf\imagesrv.sys
2004-08-10 23:45:06 18944 ----a-w- c:\windows\inf\wpdusb.sys
2004-08-04 00:07:00 73472 ----a-w- c:\windows\inf\sr.sys
2004-08-04 00:07:00 21896 ----a-w- c:\windows\inf\tdtcp.sys
2004-08-04 00:07:00 139400 ----a-w- c:\windows\inf\rdpwd.sys
2004-08-04 00:07:00 124800 ----a-w- c:\windows\inf\fltMgr.sys
2004-08-04 00:07:00 12040 ----a-w- c:\windows\inf\tdpipe.sys
2004-08-03 23:01:08 40840 ----a-w- c:\windows\inf\termdd.sys
2004-08-03 22:56:44 86016 ----a-w- c:\windows\inf\mdmxsdk.dll
2004-08-03 22:56:44 32285 ----a-w- c:\windows\inf\HSFCISP2.dll
2004-08-03 21:15:56 60800 ----a-w- c:\windows\inf\sysaudio.sys
2004-08-03 21:15:50 145792 ----a-w- c:\windows\inf\portcls.sys
2004-08-03 21:15:22 140928 ----a-w- c:\windows\inf\ks.sys
2004-08-03 21:15:06 82944 ----a-w- c:\windows\inf\wdmaud.sys
2004-08-03 21:08:48 31616 ----a-w- c:\windows\inf\usbccgp.sys
2004-08-03 21:08:48 26496 ----a-w- c:\windows\inf\USBSTOR.SYS
2004-08-03 21:08:22 10624 ----a-w- c:\windows\inf\gameenum.sys
2004-08-03 21:08:04 48640 ----a-w- c:\windows\inf\stream.sys
2004-08-03 21:08:00 60288 ----a-w- c:\windows\inf\drmk.sys
2004-08-03 21:07:58 2944 ----a-w- c:\windows\inf\drmkaud.sys
2004-08-03 21:07:50 171776 ----a-w- c:\windows\inf\kmixer.sys
2004-08-03 21:07:48 6400 ----a-w- c:\windows\inf\splitter.sys
2004-08-03 21:07:44 44672 ----a-w- c:\windows\inf\UAGP35.SYS
2004-08-03 21:07:40 52864 ----a-w- c:\windows\inf\DMusic.sys
2004-08-03 21:01:16 196864 ----a-w- c:\windows\inf\rdpdr.sys
2004-08-03 21:00:54 87424 ----a-w- c:\windows\inf\irda.sys
2004-08-03 21:00:48 22016 ----a-w- c:\windows\inf\MSIRCOMM.sys
2004-08-03 20:59:38 57472 ----a-w- c:\windows\inf\redbook.sys
2004-08-03 20:58:42 7552 ----a-w- c:\windows\inf\MSKSSRV.sys
2004-08-03 20:58:42 4992 ----a-w- c:\windows\inf\MSPQM.sys
2004-08-03 20:58:40 5376 ----a-w- c:\windows\inf\MSPCLOCK.sys
2004-08-03 20:41:56 11868 ----a-w- c:\windows\inf\mdmxsdk.sys
2004-08-03 20:41:56 1041536 ----a-w- c:\windows\inf\HSFDPSP2.sys
2004-08-03 20:41:50 685056 ----a-w- c:\windows\inf\HSFCXTS2.sys
2004-08-03 20:41:48 220032 ----a-w- c:\windows\inf\HSFBS2S2.sys
2004-08-03 20:39:38 142464 ----a-w- c:\windows\inf\aec.sys
2004-07-15 09:42:00 2459712 ----a-w- c:\windows\inf\nv4_mini.sys
2003-10-31 09:22:38 77312 ----a-r- c:\windows\inf\viasraid.sys
2003-10-28 09:02:00 20016 ----a-w- c:\windows\inf\pxhelp20.sys
2003-07-15 14:00:00 578368 ----a-w- c:\windows\inf\smwdm.sys
2003-07-02 02:42:00 27904 ----a-w- c:\windows\inf\VIAAGP1.SYS
2003-04-15 14:59:04 5824 ----a-w- c:\windows\inf\ASUSHWIO.SYS
2003-04-08 09:30:48 3744 ----a-w- c:\windows\inf\smsens.sys
2002-04-01 12:15:00 4816 ----a-w- c:\windows\inf\aeaudio.sys
2001-11-19 16:05:18 3972 ----a-w- c:\windows\inf\PciBus.sys
2001-08-17 12:02:20 9600 ----a-w- c:\windows\inf\hidusb.sys
2001-08-17 12:00:52 54272 ----a-w- c:\windows\inf\swmidi.sys
2001-08-17 11:59:44 3072 ----a-w- c:\windows\inf\audstub.sys
2001-08-17 11:58:02 35840 ----a-w- c:\windows\inf\isapnp.sys
2001-08-17 11:51:32 19584 ----a-w- c:\windows\inf\rasirda.sys
2001-08-17 11:49:10 26624 ----a-w- c:\windows\inf\irstusb.sys
1999-10-21 07:12:52 20400 ----a-w- c:\windows\inf\Entech.sys
1997-04-22 08:16:00 6272 ----a-w- c:\windows\inf\ASLM75.SYS
2009-07-03 02:26:38 21 --sha-r- c:\windows\system32\101207.cmd
2009-07-03 02:26:38 83 --sha-r- c:\windows\system32\26990.vbs
2006-07-30 22:20:12 959 --sha-r- c:\windows\system32\autorun.bin
2009-07-03 02:26:38 18 --sha-r- c:\windows\system32\config\101007.cmd
2009-07-03 02:26:38 21 --sha-r- c:\windows\system32\config\101207.cmd
2009-07-03 02:26:38 83 --sha-r- c:\windows\system32\config\26990.vbs

============= FINISH: 21:33:54.59 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pozdrav i dobrodošao na MyCity. Smile


Prvo da ti odmah napomenem da ne priključuješ nikakve USB memorijske uređaje na računar sve dok ti ne kažem da ih priključiš.


Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 17 Nov 2009
  • Poruke: 8

ComboFix 09-11-18.04 - ElektronS 11/18/2009 0:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256.99 [GMT 1:00]
Running from: c:\documents and settings\ElektronS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\AutoRun.inf
c:\windows\Temp
c:\windows\Temp\1.exe
E:\autorun.bat
E:\Autorun.inf
E:\autorun.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 23:12 . 2006-02-26 15:21 92672 ----a-w- c:\windows\system32\drivers\viamraid.sys
2009-11-17 23:12 . 2004-08-04 04:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-15 14:09 . 2009-11-15 14:09 -------- d-----w- c:\program files\uTorrent
2009-11-15 14:09 . 2009-11-17 23:03 -------- d-----w- c:\documents and settings\ElektronS\Application Data\uTorrent
2009-11-15 09:41 . 2009-11-15 09:42 -------- d-----w- c:\program files\Atomic Alarm Clock
2009-11-15 09:24 . 2009-11-15 09:24 -------- d-s---w- c:\documents and settings\ElektronS\UserData
2009-11-14 22:35 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-14 19:57 . 2009-11-17 20:34 -------- d-----w- c:\documents and settings\ElektronS\Tracing
2009-11-14 19:55 . 2009-11-14 19:56 -------- d-----w- c:\program files\Windows Live
2009-11-14 19:37 . 2009-11-14 19:37 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-14 19:29 . 2009-11-14 19:29 -------- d-----w- c:\documents and settings\ElektronS\Application Data\Talkback
2009-11-14 19:28 . 2009-11-14 19:29 -------- d-----w- c:\documents and settings\ElektronS\Local Settings\Application Data\Thunderbird
2009-11-14 19:28 . 2009-11-14 19:28 -------- d-----w- c:\documents and settings\ElektronS\Application Data\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 17:39 . 2007-08-06 10:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 23:27 . 2008-07-18 04:24 -------- d-----w- c:\program files\DaemonTools_WhenUSaveNow_Installer
2009-11-14 19:56 . 2008-11-11 04:03 -------- d-----w- c:\program files\Microsoft
2009-09-30 23:30 . 2009-09-30 23:30 1961720 ----a-w- c:\documents and settings\ElektronS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-26 09:12 . 2007-08-05 23:21 49952 ----a-w- c:\documents and settings\ElektronS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-06 16:42 . 2007-08-06 10:43 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
2009-07-03 02:26 . 2009-07-03 02:26 21 --sha-r- c:\windows\system32\101207.cmd
2009-07-03 02:26 . 2009-07-03 02:26 83 --sha-r- c:\windows\system32\26990.vbs
2006-07-30 22:20 . 2007-10-19 19:52 959 --sha-r- c:\windows\system32\autorun.bin
2009-07-03 02:26 . 2009-07-03 02:26 18 --sha-r- c:\windows\system32\config\101007.cmd
2009-07-03 02:26 . 2009-07-03 02:26 21 --sha-r- c:\windows\system32\config\101207.cmd
2009-07-03 02:26 . 2009-07-03 02:26 83 --sha-r- c:\windows\system32\config\26990.vbs
.

------- Sigcheck -------

[-] 2006-12-28 . C5E8C53A50767F016B539D946ED8B121 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\inf\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\Options\Cabs\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"uTorrent"="c:\documents and settings\ElektronS\Desktop\utorrent.exe" [2009-11-15 289584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\ElektronS\\Desktop\\utorrent.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ElektronS\Application Data\Mozilla\Firefox\Profiles\hmw36r6o.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-run32 - c:\win\lsass.exe
HKU-Default-Run-Sidebar - c:\program files\Windows Sidebar\sidebar.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-11-18 00:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3588-)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-11-18 00:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 23:23

Pre-Run: 7,014,084,608 bytes free
Post-Run: 9,230,159,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 29C532D4FB6CB4A14B7F9EBCC7B6B6DC

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Prvo pronađi file Service_NWCWorkstation.reg.dat koji se nalazi na lokaciji C:\Qoobox\Quarantine\Registry_backups\Service_NWCWorkstation.reg.dat

Postavi ga u poruci opcijom Prikači fajl, a zatim isprati sledeće...



Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\autorun.bin
c:\windows\system32\config\101007.cmd
c:\windows\system32\config\101207.cmd
c:\windows\system32\config\26990.vbs
c:\windows\system32\101207.cmd
c:\windows\system32\26990.vbs



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 17 Nov 2009
  • Poruke: 8

Napisano: 18 Nov 2009 20:30

ComboFix 09-11-18.06 - ElektronS 11/18/2009 20:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.256.149 [GMT 1:00]
Running from: c:\documents and settings\ElektronS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ElektronS\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\101207.cmd"
"c:\windows\system32\26990.vbs"
"c:\windows\system32\autorun.bin"
"c:\windows\system32\config\101007.cmd"
"c:\windows\system32\config\101207.cmd"
"c:\windows\system32\config\26990.vbs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\101207.cmd
c:\windows\system32\26990.vbs
c:\windows\system32\autorun.bin
c:\windows\system32\config\101007.cmd
c:\windows\system32\config\101207.cmd
c:\windows\system32\config\26990.vbs

.
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.

2009-11-17 23:12 . 2006-02-26 15:21 92672 ----a-w- c:\windows\system32\drivers\viamraid.sys
2009-11-17 23:12 . 2004-08-04 04:00 95360 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-15 14:09 . 2009-11-15 14:09 -------- d-----w- c:\program files\uTorrent
2009-11-15 14:09 . 2009-11-18 06:39 -------- d-----w- c:\documents and settings\ElektronS\Application Data\uTorrent
2009-11-15 09:41 . 2009-11-17 23:30 -------- d-----w- c:\program files\Atomic Alarm Clock
2009-11-15 09:24 . 2009-11-15 09:24 -------- d-s---w- c:\documents and settings\ElektronS\UserData
2009-11-14 22:35 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-14 19:57 . 2009-11-18 08:33 -------- d-----w- c:\documents and settings\ElektronS\Tracing
2009-11-14 19:55 . 2009-11-14 19:56 -------- d-----w- c:\program files\Windows Live
2009-11-14 19:37 . 2009-11-14 19:37 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-14 19:29 . 2009-11-14 19:29 -------- d-----w- c:\documents and settings\ElektronS\Application Data\Talkback
2009-11-14 19:28 . 2009-11-14 19:29 -------- d-----w- c:\documents and settings\ElektronS\Local Settings\Application Data\Thunderbird
2009-11-14 19:28 . 2009-11-14 19:28 -------- d-----w- c:\documents and settings\ElektronS\Application Data\Thunderbird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 17:39 . 2007-08-06 10:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 23:27 . 2008-07-18 04:24 -------- d-----w- c:\program files\DaemonTools_WhenUSaveNow_Installer
2009-11-14 19:56 . 2008-11-11 04:03 -------- d-----w- c:\program files\Microsoft
2009-09-30 23:30 . 2009-09-30 23:30 1961720 ----a-w- c:\documents and settings\ElektronS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-08-26 09:12 . 2007-08-05 23:21 49952 ----a-w- c:\documents and settings\ElektronS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-05-06 16:42 . 2007-08-06 10:43 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll
.

------- Sigcheck -------

[-] 2006-12-28 . C5E8C53A50767F016B539D946ED8B121 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\inf\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\Options\Cabs\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-17_23.21.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 15:00 . 2009-11-17 17:42 39992 c:\windows\system32\perfc009.dat
+ 2001-08-23 15:00 . 2009-11-18 06:25 39992 c:\windows\system32\perfc009.dat
+ 2001-08-23 15:00 . 2009-11-18 06:25 311604 c:\windows\system32\perfh009.dat
- 2001-08-23 15:00 . 2009-11-17 17:42 311604 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"uTorrent"="c:\documents and settings\ElektronS\Desktop\utorrent.exe" [2009-11-15 289584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2004-08-04 99840]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\ElektronS\\Desktop\\utorrent.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\ElektronS\Application Data\Mozilla\Firefox\Profiles\hmw36r6o.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ba/
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-11-18 20:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-18 20:29
ComboFix-quarantined-files.txt 2009-11-18 19:29
ComboFix2.txt 2009-11-17 23:24

Pre-Run: 9,958,162,432 bytes free
Post-Run: 9,937,633,280 bytes free

- - End Of File - - F5C81063379F2CA230E510957B647CF7

Dopuna: 18 Nov 2009 20:32

mycity.rs/must-login.png


u slucaju ako nisam ranije okacio posto ne vidim da jesam

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 17 Nov 2009
  • Poruke: 8

mozda ce izgledati smijesno ali trenutno nemam USB. Jedan sto sam imao pokvario mi se a da uzmem od nekoga u skorije vrijeme necu moci Sad

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

1. Preuzmi ovaj reg file i pokreni ga dvoklikom na ikonicu...

https://www.mycity.rs/must-login.png

Kada se pojavi messagebox klikni na Yes pa onda Ok




2. Obriši tu veziju ComboFix-a koju sada imaš i sa ranije datog linka preuzmi novu verziju na Desktop.

Pokreni ComboFix i postavi log koji dobiješ na kraju procesa.



Nema veze za USB, jedan od malware_a koje si imao dolazi na USB uređajima.

offline
  • Pridružio: 17 Nov 2009
  • Poruke: 8

kad uradim sta si rekao ovo mi se desi:

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pokreni ponovo ComboFix.

Ko je trenutno na forumu
 

Ukupno su 421 korisnika na forumu :: 4 registrovanih, 2 sakrivenih i 415 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: branko7, goxin, Mixelotti, Snorks