[bobby] Pomoc virusi...

[bobby] Pomoc virusi...

offline
  • draska 
  • Novi MyCity građanin
  • Pridružio: 01 Feb 2009
  • Poruke: 1

Komp mi je bio sav usporen i onda sam skinuo hijackthis i skenirao, a posle toga sam skinuo i ComboFix i njega pokrenuo ali nisam mogao da ugasim NOD pa evo vam oba loga i od HijackThis i od ComboFixa:

prvo hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57:05, on 29.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Documents and Settings\drasko\Desktop\scan\scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.bearshare.com/intl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: IEHlprObj Class - {F171A450-7AF5-43E1-AFED-EDC826A1B0F5} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [LvHidSvc] C:\WINDOWS\system32\lvhidsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lifeview HID Remote Controller Service (lvhidsvc) - Animation Technologies Inc. - C:\WINDOWS\system32\lvhidsvc.exe

--
End of file - 4709 bytes


a evo i ComboFix:

ComboFix 09-02-01.01 - drasko 2009-02-01 20:30:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.511.194 [GMT 1:00]
Running from: c:\documents and settings\drasko\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\dl00th3i.bat
c:\documents and settings\drasko\Application Data\inst.exe
C:\jj.cmd
C:\n.bat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\FunWebProducts\ScreenSaver\Cache\files.ini
c:\program files\FunWebProducts\ScreenSaver\Images\02EEEE38.urr
c:\program files\FunWebProducts\ScreenSaver\Images\02F197BD.urr
c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
c:\program files\FunWebProducts\Shared\02ED4D88.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\5.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\5.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\5.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\5.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\5.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\5.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\5.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\5.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\5.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\5.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\5.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\5.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\5.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\5.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\5.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\5.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\5.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\5.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\5.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\5.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\5.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\5.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\5.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\5.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\5.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\5.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\5.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\5.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\5.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\5.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\5.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\0001F4AB
c:\program files\MyWebSearch\bar\Cache\00E8898A
c:\program files\MyWebSearch\bar\Cache\018331B4.bin
c:\program files\MyWebSearch\bar\Cache\0183359C
c:\program files\MyWebSearch\bar\Cache\02D14C77.w
c:\program files\MyWebSearch\bar\Cache\02D16F22.bin
c:\program files\MyWebSearch\bar\Cache\02D17982.bin
c:\program files\MyWebSearch\bar\Cache\02D17FEB.bin
c:\program files\MyWebSearch\bar\Cache\02D18876.bin
c:\program files\MyWebSearch\bar\Cache\02D938F8.bin
c:\program files\MyWebSearch\bar\Cache\02D94701.bin
c:\program files\MyWebSearch\bar\Cache\02D96CAA.bin
c:\program files\MyWebSearch\bar\Cache\02D970A2.bin
c:\program files\MyWebSearch\bar\Cache\02D97322
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
c:\program files\Zumie
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\kxvo.exe
c:\windows\system32\wedasgads0.dll
c:\windows\system32\wedasgads1.dll
D:\Autorun.inf
D:\dl00th3i.bat
D:\jj.cmd
D:\n.bat

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-29 22:22 . 2009-01-29 22:22 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-29 22:03 . 2009-01-29 22:03 <DIR> d-------- c:\program files\ESET
2009-01-29 21:31 . 2009-01-29 21:31 <DIR> d-------- c:\program files\ESET.NOD32.Antivirus.Business.Edition.v3.0.566.(zabranjeno)ED-CU
2009-01-29 21:31 . 2009-01-29 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-01-22 09:49 . 2009-01-22 09:48 172,394 -r-hs---- C:\ej.com
2009-01-22 01:12 . 2009-01-22 01:12 <DIR> d-------- c:\program files\Safari
2009-01-22 01:06 . 2009-01-22 01:06 <DIR> d-------- c:\program files\Bonjour
2009-01-22 01:04 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-01-22 01:04 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-22 01:03 . 2009-01-22 01:04 <DIR> d-------- c:\program files\iTunes
2009-01-22 01:03 . 2009-01-22 01:03 <DIR> d-------- c:\program files\iPod
2009-01-22 01:03 . 2009-01-22 01:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-22 01:02 . 2009-01-22 01:03 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-22 00:47 . 2009-01-22 00:48 <DIR> d-------- c:\program files\QuickTime
2009-01-22 00:47 . 2009-01-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\program files\Apple Software Update
2009-01-22 00:00 . 2009-01-22 00:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-21 22:49 . 2009-01-21 22:50 <DIR> d-------- c:\program files\GOMPLAYER
2009-01-21 20:51 . 2009-01-21 20:54 8,997,595 --a------ c:\program files\themes_creator_3.32.zip
2009-01-19 10:39 . 2009-01-19 10:39 <DIR> d-------- c:\documents and settings\drasko\Application Data\Sony
2009-01-19 10:39 . 2009-01-19 10:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2009-01-19 10:39 . 2009-01-21 22:46 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-19 10:39 . 2009-01-19 10:39 1,409 --a------ c:\windows\QTFont.for
2009-01-19 10:38 . 2009-01-21 11:03 171,008 -r-hs---- C:\rcvk.exe
2009-01-18 21:31 . 2009-01-18 21:31 <DIR> d-------- c:\program files\Sony
2009-01-18 21:08 . 2009-01-18 21:26 <DIR> d-------- c:\program files\Avanquest update
2009-01-18 21:08 . 2009-01-18 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-18 21:08 . 2007-12-10 14:22 110,120 --a------ c:\windows\system32\drivers\s3017unic.sys
2009-01-18 21:08 . 2007-12-10 14:22 104,616 --a------ c:\windows\system32\drivers\s3017mgmt.sys
2009-01-18 21:08 . 2007-12-10 14:22 100,648 --a------ c:\windows\system32\drivers\s3017obex.sys
2009-01-18 21:08 . 2007-12-10 14:22 25,512 --a------ c:\windows\system32\drivers\s3017nd5.sys
2009-01-18 21:08 . 2007-12-10 14:22 10,792 --a------ c:\windows\system32\drivers\s3017cr.sys
2009-01-18 21:07 . 2009-01-21 20:55 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-18 21:07 . 2009-01-18 21:07 <DIR> d-------- c:\documents and settings\drasko\Application Data\InstallShield
2009-01-18 21:07 . 2009-01-18 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-18 21:07 . 2007-12-10 14:22 110,632 --a------ c:\windows\system32\drivers\s3017mdm.sys
2009-01-18 21:07 . 2007-12-10 14:22 83,880 --a------ c:\windows\system32\drivers\s3017bus.sys
2009-01-18 21:07 . 2007-12-10 14:22 15,016 --a------ c:\windows\system32\drivers\s3017mdfl.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017whnt.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017wh.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017cmnt.sys
2009-01-18 21:07 . 2007-12-10 14:22 12,200 --a------ c:\windows\system32\drivers\s3017cm.sys
2009-01-05 16:18 . 2009-01-05 16:18 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 . 2009-01-05 16:18 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 20:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 20:28 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-01-22 08:47 --------- d-----w c:\documents and settings\drasko\Application Data\Apple Computer
2009-01-19 18:06 --------- d-----w c:\documents and settings\drasko\Application Data\BearShare
2009-01-18 20:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 21:00 --------- d-----w c:\program files\Winamp
2008-12-22 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-22 18:15 187,064 --sh--r C:\wi.com
2008-12-19 08:08 189,330 --sh--r C:\ab31.exe
2008-12-18 16:53 --------- d-----w c:\documents and settings\All Users\Application Data\2B31C
2008-12-18 08:29 186,269 --sh--r C:\dkpiw.com
2008-12-12 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 10:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-08 16:41 174,455 --sh--r C:\l6hub0.com
2008-12-06 12:38 --------- d-----w c:\documents and settings\All Users\Application Data\362EE
2008-12-05 06:32 174,698 --sh--r C:\tkvfd03.exe
2008-12-03 20:06 --------- d-----w c:\program files\DivX
2008-12-03 09:19 175,716 --sh--r C:\asneg.com
2008-09-24 19:31 225,280 ----a-w c:\program files\UgasiZaToliko.exe
2008-09-11 16:56 1,130 ----a-w c:\program files\50 FREE MP3s +1 Free Audiobook!.lnk
2008-06-14 18:30 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-06-04 19:54 12,680,312 ----a-w c:\program files\marine2Free.exe
2008-06-04 19:43 878,624 ----a-w c:\program files\ClockScreenSaverSetup.exe
2008-05-14 19:48 22,300,968 ----a-w c:\program files\SkypeSetup.exe
2008-05-13 20:18 47,360 ----a-w c:\documents and settings\drasko\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 1410304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LvHidSvc"="c:\windows\system32\lvhidsvc.exe" [2004-10-10 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TVR Schedule.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TVR Schedule.lnk
backup=c:\windows\pss\TVR Schedule.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 22:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-04-23 18:57 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-11-14 30728]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-11-14 455936]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-01-18 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-01-18 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-01-18 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-01-18 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-01-18 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-01-18 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-01-18 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b2fbc49-9f85-11dd-a138-000476a1208f}]
\Shell\AutoRun\command - G:\uaacifr.cmd
\Shell\explore\Command - G:\uaacifr.cmd
\Shell\open\Command - G:\uaacifr.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5361d9-3e8e-11dd-a0c6-000476a1208f}]
\Shell\AutoRun\command - G:\hni.cmd
\Shell\explore\Command - G:\hni.cmd
\Shell\open\Command - G:\hni.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{979754b8-cd21-11dd-a198-000476a1208f}]
\Shell\AutoRun\command - G:\ab31.exe
\Shell\explore\Command - G:\ab31.exe
\Shell\open\Command - G:\ab31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba6a4325-ec5b-11dd-a1bb-000476a1208f}]
\Shell\AutoRun\command - G:\dl00th3i.bat
\Shell\explore\Command - G:\dl00th3i.bat
\Shell\open\Command - G:\dl00th3i.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ee581c-e6d0-11dd-a1ae-000476a1208f}]
\Shell\AutoRun\command - G:\rcvk.exe
\Shell\open\Command - G:\rcvk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4be7ce0-1d97-11dd-a06f-000476a1208f}]
\Shell\AutoRun\command - G:\n.bat
\Shell\explore\Command - G:\
\Shell\open\Command - G:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f822c885-3394-11dd-a0b0-000476a1208f}]
\Shell\AutoRun\command - G:\ot8unvb.cmd
\Shell\explore\Command - G:\ot8unvb.cmd
\Shell\open\Command - G:\ot8unvb.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-29 c:\windows\Tasks\PCConfidential.job
- c:\program files\Winferno\PC Confidential\PCConfidential.exe []

2008-11-29 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Disk Cleaner - c:\program files\Disk Cleaner\LaunchDiskCleaner.Exe
MSConfigStartUp-kxva - c:\windows\system32\kxvo.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\5.bin\mwsoemon.exe
MSConfigStartUp-Registry Helper - c:\program files\Registry Helper\LaunchRegistryHelper.Exe
MSConfigStartUp-SkinClock - c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/intl/
uInternet Settings,ProxyOverride = *.local
IE: &Search - edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\drasko\Application Data\Mozilla\Firefox\Profiles\k6499pzw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/intl/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\documents and settings\drasko\Application Data\Mozilla\Firefox\Profiles\k6499pzw.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-01 20:33:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-01 20:35:55
ComboFix-quarantined-files.txt 2009-02-01 19:35:50

Pre-Run: 2.622.078.976 bytes free
Post-Run: 3,041,480,704 bytes free

328 --- E O F --- 2008-05-25 21:17:36

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\asneg.com
C:\tkvfd03.exe
C:\l6hub0.com
C:\dkpiw.com
C:\ab31.exe
C:\wi.com
C:\rcvk.exe
C:\ej.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b2fbc49-9f85-11dd-a138-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f5361d9-3e8e-11dd-a0c6-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{979754b8-cd21-11dd-a198-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba6a4325-ec5b-11dd-a1bb-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ee581c-e6d0-11dd-a1ae-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4be7ce0-1d97-11dd-a06f-000476a1208f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f822c885-3394-11dd-a0b0-000476a1208f}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


I molim te, nemoj nikada vise pokretati ComboFix na svoju ruku

Ko je trenutno na forumu
 

Ukupno su 692 korisnika na forumu :: 16 registrovanih, 1 sakriven i 675 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3028 - dana 22 Nov 2019 07:47

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, A.R.Chafee.Jr., AleksSE, bankulen, BlackPhantom, Boris90, dejoglina, Marko Marković, mercedesamg, Miskohd, MrNo, nedjabanderas, pjaka2001, sakota79, Sale.S, vddutina