[bobby] Pomoc virusi...

[bobby] Pomoc virusi...

offline
  • draska 
  • Novi MyCity građanin
  • Pridružio: 01 Feb 2009
  • Poruke: 1

Komp mi je bio sav usporen i onda sam skinuo hijackthis i skenirao, a posle toga sam skinuo i ComboFix i njega pokrenuo ali nisam mogao da ugasim NOD pa evo vam oba loga i od HijackThis i od ComboFixa:

prvo hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:05, on 29.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\drasko\Desktop\scan\scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.bearshare.com/intl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: IEHlprObj Class - {F171A450-7AF5-43E1-AFED-EDC826A1B0F5} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe

--
End of file - 4709 bytes


a evo i ComboFix:

ComboFix 09-02-01.01 - drasko 2009-02-01 20:30:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.511.194 [GMT 1:00]
Running from: c:\documents and settings\drasko\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\dl00th3i.bat
c:\documents and settings\drasko\Application Data\inst.exe
C:\jj.cmd
C:\n.bat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
c:\program files\FunWebProducts\ScreenSaver\Images\02EEEE38.urr
c:\program files\FunWebProducts\ScreenSaver\Images\02F197BD.urr
c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
c:\program files\FunWebProducts\Shared\02ED4D88.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\5.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\5.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\5.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\5.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\5.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\5.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\5.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\5.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\5.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\5.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\5.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\5.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\5.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\5.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\5.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\5.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\5.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\5.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\5.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\5.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\5.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\5.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\5.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\5.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\5.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\5.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\5.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\5.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\5.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0001F4AB
c:\program files\MyWebSearch\bar\Cache\00E8898A
c:\program files\MyWebSearch\bar\Cache\018331B4.bin
c:\program files\MyWebSearch\bar\Cache\0183359C
c:\program files\MyWebSearch\bar\Cache\02D14C77.w
c:\program files\MyWebSearch\bar\Cache\02D16F22.bin
c:\program files\MyWebSearch\bar\Cache\02D17982.bin
c:\program files\MyWebSearch\bar\Cache\02D17FEB.bin
c:\program files\MyWebSearch\bar\Cache\02D18876.bin
c:\program files\MyWebSearch\bar\Cache\02D938F8.bin
c:\program files\MyWebSearch\bar\Cache\02D94701.bin
c:\program files\MyWebSearch\bar\Cache\02D96CAA.bin
c:\program files\MyWebSearch\bar\Cache\02D970A2.bin
c:\program files\MyWebSearch\bar\Cache\02D97322
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
c:\program files\Zumie
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\kxvo.exe
c:\windows\system32\wedasgads0.dll
c:\windows\system32\wedasgads1.dll
D:\Autorun.inf
D:\dl00th3i.bat
D:\jj.cmd
D:\n.bat

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-29 22:22 . 2009-01-29 22:22 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-29 22:03 . 2009-01-29 22:03 <DIR> d-------- c:\program files\ESET
2009-01-29 21:31 . 2009-01-29 21:31 <DIR> d-------- c:\program files\ESET.NOD32.Antivirus.Business.Edition.v3.0.566.(zabranjeno)ED-CU
2009-01-29 21:31 . 2009-01-29 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-01-22 09:49 . 2009-01-22 09:48 172,394 -r-hs---- C:\ej.com
2009-01-22 01:12 . 2009-01-22 01:12 <DIR> d-------- c:\program files\Safari
2009-01-22 01:06 . 2009-01-22 01:06 <DIR> d-------- c:\program files\Bonjour
2009-01-22 01:04 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-22 01:04 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-22 01:03 . 2009-01-22 01:04 <DIR> d-------- c:\program files\iTunes
2009-01-22 01:03 . 2009-01-22 01:03 <DIR> d-------- c:\program files\iPod
2009-01-22 01:03 . 2009-01-22 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 01:02 . 2009-01-22 01:03 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-22 00:47 . 2009-01-22 00:48 <DIR> d-------- c:\program files\QuickTime
2009-01-22 00:47 . 2009-01-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\program files\Apple Software Update
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-21 22:49 . 2009-01-21 22:50 <DIR> d-------- c:\program files\GOMPLAYER
2009-01-21 20:51 . 2009-01-21 20:54 8,997,595 --a------ c:\program files\themes_creator_3.32.zip
2009-01-19 10:39 . 2009-01-19 10:39 <DIR> d-------- c:\documents and settings\drasko\Application Data\Sony
2009-01-19 10:39 . 2009-01-19 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-19 10:39 . 2009-01-21 22:46 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-19 10:39 . 2009-01-19 10:39 1,409 --a------ c:\windows\QTFont.for
2009-01-19 10:38 . 2009-01-21 11:03 171,008 -r-hs---- C:\rcvk.exe
2009-01-18 21:31 . 2009-01-18 21:31 <DIR> d-------- c:\program files\Sony
2009-01-18 21:08 . 2009-01-18 21:26 <DIR> d-------- c:\program files\Avanquest update
2009-01-18 21:08 . 2009-01-18 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-18 21:08 . 2007-12-10 14:22 110,120 --a------ c:\windows\system32\drivers\s3017unic.sys
2009-01-18 21:08 . 2007-12-10 14:22 104,616 --a------ c:\windows\system32\drivers\s3017mgmt.sys
2009-01-18 21:08 . 2007-12-10 14:22 100,648 --a------ c:\windows\system32\drivers\s3017obex.sys
2009-01-18 21:08 . 2007-12-10 14:22 25,512 --a------ c:\windows\system32\drivers\s3017nd5.sys
2009-01-18 21:08 . 2007-12-10 14:22 10,792 --a------ c:\windows\system32\drivers\s3017cr.sys
2009-01-18 21:07 . 2009-01-21 20:55 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-18 21:07 . 2009-01-18 21:07 <DIR> d-------- c:\documents and settings\drasko\Application Data\InstallShield
2009-01-18 21:07 . 2009-01-18 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-18 21:07 . 2007-12-10 14:22 110,632 --a------ c:\windows\system32\drivers\s3017mdm.sys
2009-01-18 21:07 . 2007-12-10 14:22 83,880 --a------ c:\windows\system32\drivers\s3017bus.sys
2009-01-18 21:07 . 2007-12-10 14:22 15,016 --a------ c:\windows\system32\drivers\s3017mdfl.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017whnt.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017wh.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017cmnt.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017cm.sys
2009-01-05 16:18 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 20:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-22 08:47 --------- d-----w c:\documents and settings\drasko\Application Data\Apple Computer
2009-01-19 18:06 --------- d-----w c:\documents and settings\drasko\Application Data\BearShare
2009-01-18 20:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 21:00 --------- d-----w c:\program files\Winamp
2008-12-22 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-22 18:15 187,064 --sh--r C:\wi.com
2008-12-19 08:08 189,330 --sh--r C:\ab31.exe
2008-12-18 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\2B31C
2008-12-18 08:29 186,269 --sh--r C:\dkpiw.com
2008-12-12 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 10:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-08 16:41 174,455 --sh--r C:\l6hub0.com
2008-12-06 12:38 --------- d-----w c:\documents and settings\All Users\Application Data\362EE
2008-12-05 06:32 174,698 --sh--r C:\tkvfd03.exe
2008-12-03 20:06 --------- d-----w c:\program files\DivX
2008-12-03 09:19 175,716 --sh--r C:\asneg.com
2008-09-24 19:31 225,280 ----a-w c:\program files\UgasiZaToliko.exe
2008-09-11 16:56 1,130 ----a-w c:\program files\50 FREE MP3s +1 Free Audiobook!.lnk
2008-06-14 18:30 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-06-04 19:54 12,680,312 ----a-w c:\program files\marine2Free.exe
2008-06-04 19:43 878,624 ----a-w c:\program files\ClockScreenSaverSetup.exe
2008-05-14 19:48 22,300,968 ----a-w c:\program files\SkypeSetup.exe
2008-05-13 20:18 47,360 ----a-w c:\documents and settings\drasko\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 1410304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LvHidSvc"="c:\windows\system32\lvhidsvc.exe" [2004-10-10 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TVR Schedule.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TVR Schedule.lnk
backup=c:\windows\pss\TVR Schedule.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 22:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-04-23 18:57 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-14 30728]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-11-14 455936]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-01-18 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-01-18 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-01-18 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-01-18 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-01-18 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-01-18 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-01-18 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b2fbc49-9f85-11dd-a138-000476a1208f}]
\Shell\AutoRun\command - G:\uaacifr.cmd
\Shell\explore\Command - G:\uaacifr.cmd
\Shell\open\Command - G:\uaacifr.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5361d9-3e8e-11dd-a0c6-000476a1208f}]
\Shell\AutoRun\command - G:\hni.cmd
\Shell\explore\Command - G:\hni.cmd
\Shell\open\Command - G:\hni.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{979754b8-cd21-11dd-a198-000476a1208f}]
\Shell\AutoRun\command - G:\ab31.exe
\Shell\explore\Command - G:\ab31.exe
\Shell\open\Command - G:\ab31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba6a4325-ec5b-11dd-a1bb-000476a1208f}]
\Shell\AutoRun\command - G:\dl00th3i.bat
\Shell\explore\Command - G:\dl00th3i.bat
\Shell\open\Command - G:\dl00th3i.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ee581c-e6d0-11dd-a1ae-000476a1208f}]
\Shell\AutoRun\command - G:\rcvk.exe
\Shell\open\Command - G:\rcvk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4be7ce0-1d97-11dd-a06f-000476a1208f}]
\Shell\AutoRun\command - G:\n.bat
\Shell\explore\Command - G:\
\Shell\open\Command - G:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f822c885-3394-11dd-a0b0-000476a1208f}]
\Shell\AutoRun\command - G:\ot8unvb.cmd
\Shell\explore\Command - G:\ot8unvb.cmd
\Shell\open\Command - G:\ot8unvb.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-29 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe []

2008-11-29 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Disk Cleaner - c:\program files\Disk Cleaner\LaunchDiskCleaner.Exe
MSConfigStartUp-kxva - c:\windows\system32\kxvo.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
MSConfigStartUp-Registry Helper - c:\program files\Registry Helper\LaunchRegistryHelper.Exe
MSConfigStartUp-SkinClock - c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/intl/
uInternet Settings,ProxyOverride = *.local
IE: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\drasko\Application Data\Mozilla\Firefox\Profiles\k6499pzw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/intl/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\documents and settings\drasko\Application Data\Mozilla\Firefox\Profiles\k6499pzw.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-01 20:33:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-01 20:35:55
ComboFix-quarantined-files.txt 2009-02-01 19:35:50

Pre-Run: 2.622.078.976 bytes free
Post-Run: 3,041,480,704 bytes free

328 --- E O F --- 2008-05-25 21:17:36

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\asneg.com
C:\tkvfd03.exe
C:\l6hub0.com
C:\dkpiw.com
C:\ab31.exe
C:\wi.com
C:\rcvk.exe
C:\ej.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b2fbc49-9f85-11dd-a138-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5361d9-3e8e-11dd-a0c6-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{979754b8-cd21-11dd-a198-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba6a4325-ec5b-11dd-a1bb-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ee581c-e6d0-11dd-a1ae-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4be7ce0-1d97-11dd-a06f-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f822c885-3394-11dd-a0b0-000476a1208f}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


I molim te, nemoj nikada vise pokretati ComboFix na svoju ruku

Ko je trenutno na forumu
 

Ukupno su 722 korisnika na forumu :: 33 registrovanih, 7 sakrivenih i 682 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Petar, aramis s, bankulen, BasCelik, Botovac, cikadeda, Cirkon, dankisha, djo97, DonRumataEstorski, Dusan Medojevic, filipl12, ILGromovnik, ivica976, Jester, Koridor 11, krkalon, kvcali, kybonacci, leptirleptir, lovac12, LUDI, milimoj, mrkanidja, NoOneEver Dreams, nuke92, pacika, riva, rovac, strela, UAV operator, zixmix, 2991