geebb.dll

1

geebb.dll

offline
  • Pridružio: 22 Dec 2007
  • Poruke: 10

imam nod32 i pokaziva mi infected file i taj file je geebb.dll skino sam hijack this i evo vam log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:32 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ViStart\ViStart.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49ED0CC7-2860-4FB3-B226-0672FB7F1C19} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79D871D6-1227-4459-ABCE-982BC5036950} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\ijxsjvrr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kgmetrjv.dll (file missing)
O2 - BHO: (no name) - {C92B957B-4767-4E53-A63C-1E547C35F0C6} - C:\WINDOWS\system32\byxywvv.dll
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kgmetrjv.dll (file missing)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [cc79ca10] rundll32.exe "C:\WINDOWS\system32\myriyles.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [L07AXLRD_147332046] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: ViStart.lnk = C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ViOrb.lnk = C:\Documents and Settings\Thomas\Bureau\ViStart Setup\ViOrb\ViOrb.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: byxywvv - C:\WINDOWS\SYSTEM32\byxywvv.dll
O20 - Winlogon Notify: kgmetrjv - kgmetrjv.dll (file missing)
O20 - Winlogon Notify: ssqrssp - ssqrssp.dll (file missing)
O22 - SharedTaskScheduler: inscenation - {cfda6372-043c-48d2-ba3c-7bfe1cf71854} - C:\WINDOWS\system32\surzzh.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xprbbkgi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 9637 bytes


fajl ne mogu izbrisati neznam sto


molima vas pomozite mi ovo me vec dugo zeza i usporava mi kompjuret
Hvala

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

@marko25

Imaš par infekcija na sistemu. Za početak detaljno isprati ovo uputstvo

-----------------------------------

1) Preuzmi program SmitfraudFix sa ovog linka.

2.) Extract-uj program na desktop. (Takodje na ovaj način pripremi i program Hijack This koje će se kasnije koristiti)

3.) Restartuj računar i podigni sistem u Safe Mode-u. [ Safe Mode info link ]

4.) Pronadji na desktop-u folder gde si raspakovao SmitfraudFix program i dvoklikom pokreni fajl SmitfraudFix.cmd.
Kada se alat za uklanjanje prvi put startuje pokazaće ti se ekran za odobrenje. Jednostavno pritisni bilo koje dugme na tastaturi da bi prešao na sledeći nivo.

5.)



6.) Program će početi sa čišćenjem kompjutera. Posle završenog čišćenja SmitfraudFix-om
pokrenuće ti se Windows-ov program Disk Cleanup.



Nakon sto SmitFraudFix zavrsi svoj posao, postavi nam ovde log koji se nalazi na C:\rapport.txt i svez HJT log.

offline
  • Pridružio: 22 Dec 2007
  • Poruke: 10

evo uradio sam to sve sto si reko i proslo je uspesno fajl je jos tu i infekcija koliko ja vidim evo ti dole logovi koje si trazio pa ti vidi.

Hvala Very Happy


SmitFraudFix v2.274

Scan done at 0:29:44.46, Sat 12/22/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{cfda6372-043c-48d2-ba3c-7bfe1cf71854}"="inscenation"

[HKEY_CLASSES_ROOT\CLSID\{cfda6372-043c-48d2-ba3c-7bfe1cf71854}\InProcServer32]
@="C:\WINDOWS\system32\surzzh.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cfda6372-043c-48d2-ba3c-7bfe1cf71854}\InProcServer32]
@="C:\WINDOWS\system32\surzzh.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB3F50C8-FF1C-4F49-96C9-AD9E78084ED2}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AB3F50C8-FF1C-4F49-96C9-AD9E78084ED2}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AB3F50C8-FF1C-4F49-96C9-AD9E78084ED2}: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.77.130 68.87.72.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{cfda6372-043c-48d2-ba3c-7bfe1cf71854}"="inscenation"

[HKEY_CLASSES_ROOT\CLSID\{cfda6372-043c-48d2-ba3c-7bfe1cf71854}\InProcServer32]
@="C:\WINDOWS\system32\surzzh.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{cfda6372-043c-48d2-ba3c-7bfe1cf71854}\InProcServer32]
@="C:\WINDOWS\system32\surzzh.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:33 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kgmetrjv.dll (file missing)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [cc79ca10] rundll32.exe "C:\WINDOWS\system32\ejqoryde.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [L07AXLRD_147332046] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: ViStart.lnk = C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ViOrb.lnk = C:\Documents and Settings\Thomas\Bureau\ViStart Setup\ViOrb\ViOrb.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: inscenation - {cfda6372-043c-48d2-ba3c-7bfe1cf71854} - C:\WINDOWS\system32\surzzh.dll (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\xprbbkgi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Ne brini niko neće da ti propusti bilo koji od malware-a iz logova. Samo malo strpljenja i rešiće se sve.

Korak 2:

Skini VundoFix:
http://www.atribune.org/ccount/click.php?id=4

* Dvoklikom se startuje fajl VundoFix.exe.
* Izabere opcija Scan for Vundo.
* Posle završenog skeniranja i pojave poruke Done Searching for files klikne se na OK.
* Sada, kada je skeniranje obavljeno potrebno je kliknuti na opciju Remove Vundo.
* Po pojavljivanju upita o uklanjaju Vundo fajlova klikne se na Yes.
* Pokretanje ove opcije učiniće Desktop privremeno praznim u cilju pripreme sistema za uklanjanje Vundo-a.
* Po završetku, pojaviće se obaveštenje o gašnjenju računara, klikne se OK.
* Uključi se računar i podigne sistem iznova.
* Iskopira se sadržaj loga sa putanje C:\vundofix.txt i novi HiJackThis log u poruku na forumu.

offline
  • Pridružio: 22 Dec 2007
  • Poruke: 10

evo uradio sam i to evo ti dole logovi pa ti vidi ja vise nemam pojma.



VundoFix V6.7.7

Checking Java version...

Scan started at 9:58:15 AM 12/22/2007

Listing files found while scanning....

C:\windows\system32\byxywvv.dll
C:\windows\system32\ccqqgwdx.ini
C:\windows\system32\fqjcpvzi.dll
C:\windows\system32\fqjcpvzi.dllbox
C:\windows\system32\gjqywatx.dll
C:\windows\system32\gjqywatx.dllbox
C:\windows\system32\hnmmmrjq.dll
C:\windows\system32\iifccdd.dll
C:\WINDOWS\system32\ijxsjvrr.dll
C:\WINDOWS\system32\kgmetrjv.dll
C:\windows\system32\kgmetrjv.dllbox
C:\windows\system32\qjrmmmnh.ini
C:\windows\system32\rqrrspp.dll
C:\windows\system32\rquhxjdq.dllbox
C:\windows\system32\rxekpydg.dll
C:\windows\system32\rxekpydg.dllbox
C:\windows\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrssp.dll
C:\windows\system32\xdwgqqcc.dll

Beginning removal...

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Scan started at 10:43:45 AM 12/22/2007

Listing files found while scanning....

C:\windows\system32\byxywvv.dll
C:\WINDOWS\system32\ijxsjvrr.dll
C:\WINDOWS\system32\kgmetrjv.dll
C:\windows\system32\rxekpydg.dll
C:\windows\system32\rxekpydg.dllbox
C:\windows\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrssp.dll
C:\windows\system32\xdwgqqcc.dll

Beginning removal...

Attempting to delete C:\windows\system32\byxywvv.dll
C:\windows\system32\byxywvv.dll Could not be deleted.

Attempting to delete C:\windows\system32\rxekpydg.dll
C:\windows\system32\rxekpydg.dll Has been deleted!

Attempting to delete C:\windows\system32\rxekpydg.dllbox
C:\windows\system32\rxekpydg.dllbox Has been deleted!

Attempting to delete C:\windows\system32\ssqrs.dll
C:\windows\system32\ssqrs.dll Has been deleted!

Attempting to delete C:\windows\system32\xdwgqqcc.dll
C:\windows\system32\xdwgqqcc.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\byxywvv.dll
C:\windows\system32\byxywvv.dll Has been deleted!

Performing Repairs to the registry.
Done!







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:40 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30338722-B9CF-4E85-BB21-412B68FC54C3} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79D871D6-1227-4459-ABCE-982BC5036950} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [cc79ca10] rundll32.exe "C:\WINDOWS\system32\ejqoryde.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [L07AXLRD_147332046] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: ViStart.lnk = C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ViOrb.lnk = C:\Documents and Settings\Thomas\Bureau\ViStart Setup\ViOrb\ViOrb.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: kgmetrjv - kgmetrjv.dll (file missing)
O20 - Winlogon Notify: ssqrssp - ssqrssp.dll (file missing)
O22 - SharedTaskScheduler: inscenation - {cfda6372-043c-48d2-ba3c-7bfe1cf71854} - C:\WINDOWS\system32\surzzh.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\xprbbkgi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 9311 bytes

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

marko25 ::evo uradio sam i to evo ti dole logovi pa ti vidi ja vise nemam pojma.
Umeš da čitaš, vidiš da ti je svaki alat obrisao po nešto. Ja šta da ti radim kada imaš više malware-a na sistemu nego windowsovih procesa. Wink

-----------------------
Pokreni program HijackThis, izaberi opciju "Do a system scan only", štikliraj ispod navedene linije (u kvadratićima onim pored njih) i stisni "Fix Checked".

O2 - BHO: (no name) - {79D871D6-1227-4459-ABCE-982BC5036950} - C:\WINDOWS\system32\ssttq.dll (file missing)
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {E26CEADA-67B0-4543-BE8B-307F00265118} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [rtasks] C:\Program Files\BestsellerAntivirus\rtasks.exe
O4 - HKLM\..\Run: [cc79ca10] rundll32.exe "C:\WINDOWS\system32\ejqoryde.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O20 - Winlogon Notify: kgmetrjv - kgmetrjv.dll (file missing)
O20 - Winlogon Notify: ssqrssp - ssqrssp.dll (file missing)
O22 - SharedTaskScheduler: inscenation - {cfda6372-043c-48d2-ba3c-7bfe1cf71854} - C:\WINDOWS\system32\surzzh.dll (file missing)

Zatim restartuj sistem u Safe Mode i briši sledeće foldere:
C:\Program Files\BestsellerAntivirus\
C:\Program Files\Video ActiveX Access\
-------------------------------

Podigni sistem u normalan mod. Skini ComboFix sa jedne od sledecih adresa:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati. Ispod njega postavi i svež log programa HijackThis. Ovaj put promeni ime aplikacije (HijackThis.exe) u nešto što ne asocira na nju npr. TR3.exe pa onda skeniraj.

offline
  • Pridružio: 22 Dec 2007
  • Poruke: 10

ok ve zam razumeo osim ovoga

Ovaj put promeni ime aplikacije (HijackThis.exe) u nešto što ne asocira na nju npr. TR3.exe pa onda skeniraj.

Dopuna: 22 Dec 2007 20:07

eto uradio sam ono sa hijack this i onsa uso u safe mod one folderi nisu tu znaci nista nisam brisao. onda sam restartovao u normalnom modu skino combofix i on je svoje uradio. evo dole logovi Very Happy



ComboFix 07-12-21.4 - Administrator 2007-12-22 13:31:46.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\UGA6P
C:\WINDOWS\msavsc.dll
C:\WINDOWS\msctrl.dll
C:\WINDOWS\msfw.dll
C:\WINDOWS\msiemon.dll
C:\WINDOWS\msscan.dll
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\exmroiqt.ini
C:\WINDOWS\system32\modiagax.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\tkcdjocv.ini
C:\WINDOWS\system32\tqiormxe.dll
C:\WINDOWS\system32\vcojdckt.dll
C:\WINDOWS\system32\xagaidom.dll
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_OHCTUSB
-------\DomainService
-------\ohctusb


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 13:48 . 2007-12-22 13:53 6,520 --ahs---- C:\WINDOWS\system32\bbeeg.ini
2007-12-22 09:58 . 2007-12-22 11:22 <DIR> d----c--- C:\VundoFix Backups
2007-12-22 00:30 . 2007-12-22 00:30 2,034 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 00:04 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-22 00:04 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-22 00:04 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 00:04 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-22 00:04 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 00:04 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-21 21:35 . 2007-12-22 11:24 991,722 --ahs---- C:\WINDOWS\system32\edyroqje.ini
2007-12-21 21:35 . 2007-12-21 21:35 85,568 --a--c--- C:\WINDOWS\system32\ejqoryde.dll
2007-12-21 21:35 . 2007-12-21 21:35 74,304 --a--c--- C:\WINDOWS\system32\hangcxua.exe
2007-12-21 18:34 . 2007-12-21 18:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 10:46 . 2007-12-21 10:48 <DIR> d----c--- C:\Documents and Settings\Administrator\bys
2007-12-16 17:23 . 2007-12-16 17:23 <DIR> d----c--- C:\Documents and Settings\Administrator\Parts
2007-12-15 15:11 . 2007-12-16 17:22 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2007-12-15 14:37 . 2007-12-15 14:37 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-15 14:34 . 2007-12-16 17:24 <DIR> d-------- C:\Program Files\Sidebar
2007-12-15 13:44 . 2007-12-15 13:48 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\ViStart
2007-12-15 10:31 . 2007-12-15 10:31 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Styler
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\WinFlip
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\VisualTooltip
2007-12-15 10:30 . 2007-12-22 13:51 <DIR> d-------- C:\Program Files\ViStart
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\ViOrb
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\TrueTransparency
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\LClock
2007-12-15 10:30 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-15 10:30 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-15 10:30 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-15 10:22 . 2007-12-15 10:22 78,942 --a------ C:\WINDOWS\Icon_2.ico
2007-12-14 19:47 . 2007-12-14 20:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-14 19:47 . 2007-12-14 19:47 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Thinstall
2007-12-10 01:00 . 2007-12-16 01:57 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-09 23:12 . 2007-12-09 23:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Nero
2007-12-09 22:26 . 2007-12-09 22:26 <DIR> d-------- C:\Program Files\Nero
2007-12-09 22:26 . 2007-12-09 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-28 17:35 . 2007-11-28 17:35 32,764 --a------ C:\WINDOWS\17PHolmes77.exe
2007-11-28 17:34 . 2007-11-28 17:34 37,376 --a------ C:\WINDOWS\system32\ssqppnm.dll
2007-11-27 21:02 . 2007-11-27 21:02 63,488 --a------ C:\WINDOWS\system32\MCI32.oca
2007-11-26 21:49 . 2007-11-26 21:49 28 --a------ C:\WINDOWS\system32\srss.dat
2007-11-26 21:48 . 2007-11-26 21:50 <DIR> d-------- C:\Program Files\VoiceMaskPro
2007-11-26 21:47 . 2007-11-26 21:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 22:16 . 2007-12-21 17:26 <DIR> d-------- C:\Program Files\ApexDC++
2007-11-24 14:28 . 2007-11-24 14:28 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-11-24 12:09 . 2007-11-24 12:09 <DIR> d-------- C:\WINDOWS\Symbols
2007-11-24 12:09 . 2007-11-24 14:37 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-24 12:09 . 2007-11-24 12:41 <DIR> d-------- C:\Program Files\HTML Help Workshop
2007-11-24 12:09 . 2007-11-24 12:39 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-11-24 12:09 . 2007-11-24 12:14 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2007-11-24 12:09 . 2007-11-24 12:09 <DIR> d-------- C:\Program Files\CE Remote Tools
2007-11-24 12:09 . 2007-11-24 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2007-11-24 11:44 . 2007-11-24 12:43 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-11-22 12:36 . 2007-11-22 12:39 <DIR> d-------- C:\Program Files\Maxthon2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 18:50 6,520 --sha-w C:\WINDOWS\system32\bbeeg.bak1
2007-12-21 22:38 --------- d-----w C:\Program Files\AskPBar
2007-12-20 00:10 --------- dc----w C:\Documents and Settings\Administrator\Application Data\.gaim
2007-12-19 23:43 --------- d-----w C:\Program Files\Paltalk Messenger
2007-12-15 23:00 --------- d-----w C:\Program Files\MSN Messenger
2007-12-15 15:30 --------- d-----w C:\Program Files\Styler
2007-12-12 17:44 --------- dc----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-12-10 03:32 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-10 02:49 --------- d-----w C:\Program Files\Ahead
2007-11-30 10:56 329,029 ----a-w C:\WINDOWS\system32\viwc.exe
2007-11-27 02:42 --------- d-----w C:\Program Files\SplitCam
2007-11-24 19:52 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-11-24 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-24 17:42 --------- d-----w C:\Program Files\MSBuild
2007-11-17 04:22 --------- d-----w C:\Program Files\Web Publish
2007-11-14 00:03 --------- d-----w C:\Program Files\Microsoft Games
2007-11-11 19:08 --------- d-----w C:\Program Files\Microsoft Small Business
2007-11-11 05:00 --------- dc----w C:\Documents and Settings\Administrator\Application Data\FileMaker
2007-11-10 20:04 --------- d-----w C:\Program Files\Microsoft Student
2007-11-10 19:09 --------- d-----w C:\Program Files\Learning Essentials
2007-11-10 03:47 --------- dc----w C:\Documents and Settings\Administrator\Application Data\Paltalk
2007-11-07 22:30 13,824 ----a-w C:\WINDOWS\system32\drivers\splitcam.sys
2007-11-07 03:12 71,232 -c--a-w C:\WINDOWS\system32\pjvyatye.exe
2007-11-07 02:32 87,104 -c--a-w C:\WINDOWS\system32\snfxvbgf.dll
2007-11-07 02:26 71,232 -c--a-w C:\WINDOWS\system32\dwmacvqs.exe
2007-11-07 02:05 87,104 -c--a-w C:\WINDOWS\system32\qduocony.dll
2007-11-07 02:03 71,232 -c--a-w C:\WINDOWS\system32\oodtwcko.exe
2007-11-07 01:31 71,232 -c--a-w C:\WINDOWS\system32\xprbbkgi.exe
2007-11-02 05:46 --------- d-----w C:\Program Files\OneStepSearch
2007-10-29 19:45 --------- d-----w C:\Program Files\ESP Demo
2007-10-29 17:13 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-10-25 20:19 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-25 20:14 --------- d-----w C:\Program Files\Real
2007-10-25 20:12 --------- d-----w C:\Program Files\Total Video Converter
2007-10-24 21:15 316,000 ----a-w C:\WINDOWS\system32\geebb.dll
2007-10-23 19:20 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-10-23 00:40 --------- d-----w C:\Program Files\Vista Start Menu
2007-10-22 13:51 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-10-22 01:08 --------- d-----w C:\Program Files\Stardock
2007-10-22 00:04 --------- d-----w C:\Program Files\TGTSoft
2007-10-18 02:52 389,184 ----a-w C:\WINDOWS\system32\yguwlsoi.exe
2007-10-17 09:44 389,184 ----a-w C:\WINDOWS\system32\onulyslc.exe
2007-10-16 09:43 389,184 ----a-w C:\WINDOWS\system32\aubkcbsd.exe
2007-10-15 09:46 389,184 ----a-w C:\WINDOWS\system32\avdccenf.exe
2007-10-14 16:51 389,184 ----a-w C:\WINDOWS\system32\aimacqxb.exe
2007-09-07 19:49 144,626 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_07_14_43_50_small.dmp.zip
2007-08-19 21:20 134,130 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_19_54_22_small.dmp.zip
2007-08-19 21:20 131,377 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_19_54_17_small.dmp.zip
2007-08-14 13:12 118,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_07_23_59_small.dmp.zip
2007-08-14 13:12 116,451 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_07_23_54_small.dmp.zip
2007-08-13 01:22 123,711 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_11_17_28_29_small.dmp.zip
2007-08-13 01:22 122,291 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_11_17_28_25_small.dmp.zip
2007-07-20 23:19 21,682,172 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_19_15_03_00_full.dmp.zip
2007-07-14 20:26 23,862,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_13_21_44_56_full.dmp.zip
2007-07-13 22:02 29,707,903 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_13_00_59_50_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5BAA16D-2362-4F5A-8DBF-F2025522ED79}]
2007-10-24 16:15 316000 --a------ C:\WINDOWS\system32\geebb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 01:27]
"L07AXLRD_147332046"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.exe" [2006-06-10 04:10]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"viwc"="C:\WINDOWS\system32\viwc.exe" [2007-11-30 05:56]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-11-26 19:27]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 13:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 17:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"nwiz"="nwiz.exe" [2004-02-23 14:43 C:\WINDOWS\system32\nwiz.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 10:11]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 10:11]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 17:56 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 15:59]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ViStart.lnk - C:\Program Files\ViStart\ViStart.exe [2007-12-15 10:30:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-11-26 18:24:37]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 21:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^_.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\_.lnk
backup=C:\WINDOWS\pss\_.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MS_update_0704_KB74073.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MS_update_0704_KB74073.exe
backup=C:\WINDOWS\pss\MS_update_0704_KB74073.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSRegScan]
C:\Program Files\ESP Demo\ESPDemo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedX]
C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683e3443-e92a-11da-8207-ab5ab24a20ce}]
\Shell\AutoRun\command - L:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-12-22 13:52:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\geebb.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2649]
-> C:\WINDOWS\system32\geebb.dll
.
Completion time: 2007-12-22 13:57:07 - machine was rebooted












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:53 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: (no name) - {B5BAA16D-2362-4F5A-8DBF-F2025522ED79} - C:\WINDOWS\system32\geebb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [L07AXLRD_147332046] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: ViStart.lnk = C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ViOrb.lnk = C:\Documents and Settings\Thomas\Bureau\ViStart Setup\ViOrb\ViOrb.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 7384 bytes

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Otvori Notepad i iskopiraj u njega ovaj tekst:

File::
C:\WINDOWS\system32\yguwlsoi.exe
C:\WINDOWS\system32\onulyslc.exe
C:\WINDOWS\system32\aubkcbsd.exe
C:\WINDOWS\system32\avdccenf.exe
C:\WINDOWS\system32\aimacqxb.exe
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\pjvyatye.exe
C:\WINDOWS\system32\snfxvbgf.dll
C:\WINDOWS\system32\dwmacvqs.exe
C:\WINDOWS\system32\qduocony.dll
C:\WINDOWS\system32\oodtwcko.exe
C:\WINDOWS\system32\xprbbkgi.exe
C:\WINDOWS\system32\bbeeg.bak1

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geebb.dll
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5BAA16D-2362-4F5A-8DBF-F2025522ED79}]


Snimi na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Dopuna: 22 Dec 2007 23:14

U vezi ovoga:
marko25 ::Ovaj put promeni ime aplikacije (HijackThis.exe) u nešto što ne asocira na nju npr. TR3.exe pa onda skeniraj.
Desni klik > Rename i umesto HijackThis upišeš bilo šta što ne asocira na to ime (primer iz izdvojene teme na ovom forumu gde je opisano kako se postavljaju HJT logovi je TR3.exe). To sam tražio od tebe zato što pojedine vrste malware-a mogu da detektuju HijackThis i "sakriju se" - ne budu izlistani u logu.

Nadam se da je sada jasnije.

offline
  • Pridružio: 22 Dec 2007
  • Poruke: 10

evo logovi Very Happy







ComboFix 07-12-21.4 - Administrator 2007-12-22 13:31:46.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\avtasks.dat
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\av.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\ga6Support.log
C:\Documents and Settings\Administrator\Application Data\BestsellerAntivirus\Logs\update.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\UGA6P
C:\WINDOWS\msavsc.dll
C:\WINDOWS\msctrl.dll
C:\WINDOWS\msfw.dll
C:\WINDOWS\msiemon.dll
C:\WINDOWS\msscan.dll
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\exmroiqt.ini
C:\WINDOWS\system32\modiagax.ini
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\qttss.bak2
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\qttss.tmp
C:\WINDOWS\system32\tkcdjocv.ini
C:\WINDOWS\system32\tqiormxe.dll
C:\WINDOWS\system32\vcojdckt.dll
C:\WINDOWS\system32\xagaidom.dll
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_OHCTUSB
-------\DomainService
-------\ohctusb


((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.

2007-12-22 13:48 . 2007-12-22 13:53 6,520 --ahs---- C:\WINDOWS\system32\bbeeg.ini
2007-12-22 09:58 . 2007-12-22 11:22 <DIR> d----c--- C:\VundoFix Backups
2007-12-22 00:30 . 2007-12-22 00:30 2,034 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-22 00:04 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-22 00:04 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-22 00:04 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-22 00:04 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-22 00:04 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-22 00:04 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-21 21:35 . 2007-12-22 11:24 991,722 --ahs---- C:\WINDOWS\system32\edyroqje.ini
2007-12-21 21:35 . 2007-12-21 21:35 85,568 --a--c--- C:\WINDOWS\system32\ejqoryde.dll
2007-12-21 21:35 . 2007-12-21 21:35 74,304 --a--c--- C:\WINDOWS\system32\hangcxua.exe
2007-12-21 18:34 . 2007-12-21 18:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 10:46 . 2007-12-21 10:48 <DIR> d----c--- C:\Documents and Settings\Administrator\bys
2007-12-16 17:23 . 2007-12-16 17:23 <DIR> d----c--- C:\Documents and Settings\Administrator\Parts
2007-12-15 15:11 . 2007-12-16 17:22 <DIR> d-------- C:\Program Files\Thoosje Sidebar V2.3
2007-12-15 14:37 . 2007-12-15 14:37 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-15 14:34 . 2007-12-16 17:24 <DIR> d-------- C:\Program Files\Sidebar
2007-12-15 13:44 . 2007-12-15 13:48 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\ViStart
2007-12-15 10:31 . 2007-12-15 10:31 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Styler
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\WinFlip
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\VisualTooltip
2007-12-15 10:30 . 2007-12-22 13:51 <DIR> d-------- C:\Program Files\ViStart
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\Vista Sidebar
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\ViOrb
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\TrueTransparency
2007-12-15 10:30 . 2007-12-15 10:30 <DIR> d-------- C:\Program Files\LClock
2007-12-15 10:30 . 2007-04-15 01:30 6,181,376 --a------ C:\WINDOWS\system32\vistaui.exe
2007-12-15 10:30 . 2004-09-20 01:27 172,032 --a------ C:\WINDOWS\system32\LClock.cpl
2007-12-15 10:30 . 2007-11-25 22:11 49,208 --a------ C:\WINDOWS\system32\vistartup.bmp
2007-12-15 10:22 . 2007-12-15 10:22 78,942 --a------ C:\WINDOWS\Icon_2.ico
2007-12-14 19:47 . 2007-12-14 20:12 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-14 19:47 . 2007-12-14 19:47 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Thinstall
2007-12-10 01:00 . 2007-12-16 01:57 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-09 23:12 . 2007-12-09 23:12 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Nero
2007-12-09 22:26 . 2007-12-09 22:26 <DIR> d-------- C:\Program Files\Nero
2007-12-09 22:26 . 2007-12-09 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-28 17:35 . 2007-11-28 17:35 32,764 --a------ C:\WINDOWS\17PHolmes77.exe
2007-11-28 17:34 . 2007-11-28 17:34 37,376 --a------ C:\WINDOWS\system32\ssqppnm.dll
2007-11-27 21:02 . 2007-11-27 21:02 63,488 --a------ C:\WINDOWS\system32\MCI32.oca
2007-11-26 21:49 . 2007-11-26 21:49 28 --a------ C:\WINDOWS\system32\srss.dat
2007-11-26 21:48 . 2007-11-26 21:50 <DIR> d-------- C:\Program Files\VoiceMaskPro
2007-11-26 21:47 . 2007-11-26 21:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 22:16 . 2007-12-21 17:26 <DIR> d-------- C:\Program Files\ApexDC++
2007-11-24 14:28 . 2007-11-24 14:28 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2007-11-24 14:26 . 2007-11-24 14:26 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2007-11-24 12:09 . 2007-11-24 12:09 <DIR> d-------- C:\WINDOWS\Symbols
2007-11-24 12:09 . 2007-11-24 14:37 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-24 12:09 . 2007-11-24 12:41 <DIR> d-------- C:\Program Files\HTML Help Workshop
2007-11-24 12:09 . 2007-11-24 12:39 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-11-24 12:09 . 2007-11-24 12:14 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2007-11-24 12:09 . 2007-11-24 12:09 <DIR> d-------- C:\Program Files\CE Remote Tools
2007-11-24 12:09 . 2007-11-24 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2007-11-24 11:44 . 2007-11-24 12:43 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-11-22 12:36 . 2007-11-22 12:39 <DIR> d-------- C:\Program Files\Maxthon2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 18:50 6,520 --sha-w C:\WINDOWS\system32\bbeeg.bak1
2007-12-21 22:38 --------- d-----w C:\Program Files\AskPBar
2007-12-20 00:10 --------- dc----w C:\Documents and Settings\Administrator\Application Data\.gaim
2007-12-19 23:43 --------- d-----w C:\Program Files\Paltalk Messenger
2007-12-15 23:00 --------- d-----w C:\Program Files\MSN Messenger
2007-12-15 15:30 --------- d-----w C:\Program Files\Styler
2007-12-12 17:44 --------- dc----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-12-10 03:32 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-10 02:49 --------- d-----w C:\Program Files\Ahead
2007-11-30 10:56 329,029 ----a-w C:\WINDOWS\system32\viwc.exe
2007-11-27 02:42 --------- d-----w C:\Program Files\SplitCam
2007-11-24 19:52 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-11-24 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-24 17:42 --------- d-----w C:\Program Files\MSBuild
2007-11-17 04:22 --------- d-----w C:\Program Files\Web Publish
2007-11-14 00:03 --------- d-----w C:\Program Files\Microsoft Games
2007-11-11 19:08 --------- d-----w C:\Program Files\Microsoft Small Business
2007-11-11 05:00 --------- dc----w C:\Documents and Settings\Administrator\Application Data\FileMaker
2007-11-10 20:04 --------- d-----w C:\Program Files\Microsoft Student
2007-11-10 19:09 --------- d-----w C:\Program Files\Learning Essentials
2007-11-10 03:47 --------- dc----w C:\Documents and Settings\Administrator\Application Data\Paltalk
2007-11-07 22:30 13,824 ----a-w C:\WINDOWS\system32\drivers\splitcam.sys
2007-11-07 03:12 71,232 -c--a-w C:\WINDOWS\system32\pjvyatye.exe
2007-11-07 02:32 87,104 -c--a-w C:\WINDOWS\system32\snfxvbgf.dll
2007-11-07 02:26 71,232 -c--a-w C:\WINDOWS\system32\dwmacvqs.exe
2007-11-07 02:05 87,104 -c--a-w C:\WINDOWS\system32\qduocony.dll
2007-11-07 02:03 71,232 -c--a-w C:\WINDOWS\system32\oodtwcko.exe
2007-11-07 01:31 71,232 -c--a-w C:\WINDOWS\system32\xprbbkgi.exe
2007-11-02 05:46 --------- d-----w C:\Program Files\OneStepSearch
2007-10-29 19:45 --------- d-----w C:\Program Files\ESP Demo
2007-10-29 17:13 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-10-25 20:19 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-25 20:14 --------- d-----w C:\Program Files\Real
2007-10-25 20:12 --------- d-----w C:\Program Files\Total Video Converter
2007-10-24 21:15 316,000 ----a-w C:\WINDOWS\system32\geebb.dll
2007-10-23 19:20 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-10-23 00:40 --------- d-----w C:\Program Files\Vista Start Menu
2007-10-22 13:51 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-10-22 01:08 --------- d-----w C:\Program Files\Stardock
2007-10-22 00:04 --------- d-----w C:\Program Files\TGTSoft
2007-10-18 02:52 389,184 ----a-w C:\WINDOWS\system32\yguwlsoi.exe
2007-10-17 09:44 389,184 ----a-w C:\WINDOWS\system32\onulyslc.exe
2007-10-16 09:43 389,184 ----a-w C:\WINDOWS\system32\aubkcbsd.exe
2007-10-15 09:46 389,184 ----a-w C:\WINDOWS\system32\avdccenf.exe
2007-10-14 16:51 389,184 ----a-w C:\WINDOWS\system32\aimacqxb.exe
2007-09-07 19:49 144,626 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_07_14_43_50_small.dmp.zip
2007-08-19 21:20 134,130 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_19_54_22_small.dmp.zip
2007-08-19 21:20 131,377 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_19_54_17_small.dmp.zip
2007-08-14 13:12 118,844 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_07_23_59_small.dmp.zip
2007-08-14 13:12 116,451 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_07_23_54_small.dmp.zip
2007-08-13 01:22 123,711 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_11_17_28_29_small.dmp.zip
2007-08-13 01:22 122,291 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_11_17_28_25_small.dmp.zip
2007-07-20 23:19 21,682,172 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_19_15_03_00_full.dmp.zip
2007-07-14 20:26 23,862,046 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_13_21_44_56_full.dmp.zip
2007-07-13 22:02 29,707,903 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_07_13_00_59_50_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5BAA16D-2362-4F5A-8DBF-F2025522ED79}]
2007-10-24 16:15 316000 --a------ C:\WINDOWS\system32\geebb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 01:27]
"L07AXLRD_147332046"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.exe" [2006-06-10 04:10]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"viwc"="C:\WINDOWS\system32\viwc.exe" [2007-11-30 05:56]
"ViStart"="C:\Program Files\ViStart\ViStart.exe" [2007-11-26 19:27]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2007-11-19 13:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 17:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"nwiz"="nwiz.exe" [2004-02-23 14:43 C:\WINDOWS\system32\nwiz.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 10:11]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-08-25 10:11]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-03 17:56 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 15:59]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ViStart.lnk - C:\Program Files\ViStart\ViStart.exe [2007-12-15 10:30:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
PalTalk.lnk - C:\Program Files\Paltalk Messenger\paltalk.exe [2007-11-26 18:24:37]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-20 21:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^_.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\_.lnk
backup=C:\WINDOWS\pss\_.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MS_update_0704_KB74073.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MS_update_0704_KB74073.exe
backup=C:\WINDOWS\pss\MS_update_0704_KB74073.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 --a------ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSRegScan]
C:\Program Files\ESP Demo\ESPDemo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedX]
C:\PROGRA~1\MyPortal\Speed-X\SpeedX.exe


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ Alerter WebClient LmHosts upnphost SSDPSRV

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683e3443-e92a-11da-8207-ab5ab24a20ce}]
\Shell\AutoRun\command - L:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2007-12-22 13:52:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\geebb.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2649]
-> C:\WINDOWS\system32\geebb.dll
.
Completion time: 2007-12-22 13:57:07 - machine was rebooted











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52, on 2007-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [L07AXLRD_147332046] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: ViStart.lnk = C:\Program Files\ViStart\ViStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ViOrb.lnk = C:\Documents and Settings\Thomas\Bureau\ViStart Setup\ViOrb\ViOrb.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 7407 bytes

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Koliko ja vidim prema ovom zadnjem HJT logu nema više ničeg malicioznog za uklanjanje.

Kakvo je stanje na računaru ? Javlja li se problem na koji si se prvobitno žalio ?

Ko je trenutno na forumu
 

Ukupno su 1085 korisnika na forumu :: 37 registrovanih, 5 sakrivenih i 1043 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, 9k38, antonije64, Apok, Asparagus, Brana01, Bubili, darkangel, dijica, dragoljub11987, dushan, ILGromovnik, jaeger, janbo, Karla, Krvava Devetka, kybonacci, Leonov, ljuba, manda87, marsovac 2, mercedesamg, mikrimaus, milimoj, milos.cbr, Nemanja.M, opt1, ruma, sap, Singidunumac, Sir Budimir, Srle993, Trpe Grozni, vathra, Vlada78, VP6919, zxstole