log HJ i Combofix ... mislim da ima tu neki virus

log HJ i Combofix ... mislim da ima tu neki virus

offline
  • Pridružio: 24 Okt 2007
  • Poruke: 122

combofix:

ComboFix 09-06-11.06 - miki 06/12/2009 17:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1790.1364 [GMT 2:00]
Running from: c:\documents and settings\miki\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\Mlkf.dll
c:\windows\system32\pncrt.dll
c:\windows\system32\spool.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-07 07:31 . 2009-06-07 07:31 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-07 07:31 . 2009-06-07 07:31 -------- d-----w- c:\program files\MSBuild
2009-06-07 07:30 . 2009-06-07 07:30 -------- d-----w- c:\program files\Reference Assemblies
2009-06-07 07:30 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 07:30 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 07:30 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-07 07:30 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 07:30 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-07 07:30 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-07 07:30 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 07:30 . 2009-06-07 07:30 -------- d-----w- C:\4eefef919900c58531898c6ab354d2
2009-06-07 07:29 . 2009-06-07 09:39 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-06 16:16 . 2009-06-06 16:16 -------- d-----w- c:\program files\iPod
2009-06-06 16:16 . 2009-06-06 16:16 -------- d-----w- c:\program files\iTunes
2009-06-06 16:14 . 2009-06-06 16:15 -------- d-----w- c:\program files\QuickTime
2009-06-06 16:11 . 2009-06-06 16:11 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-27 17:27 . 2009-06-06 12:49 0 ----a-w- c:\program files\Common Files\chd.exe
2009-05-27 17:03 . 2009-05-27 17:03 -------- d-----w- c:\program files\Elcomsoft
2009-05-18 15:55 . 2009-05-18 15:55 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-05-14 20:36 . 2009-05-14 20:36 -------- d-----w- C:\a1c31643af160503c65e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 11:19 . 2009-05-03 13:57 41 ----a-w- c:\windows\system32\mslck.dat
2009-06-11 08:42 . 2009-04-09 21:30 -------- d-----w- c:\documents and settings\miki\Application Data\uTorrent
2009-06-08 18:40 . 2009-05-06 20:13 -------- d-----w- c:\documents and settings\miki\Application Data\Skype
2009-06-08 17:30 . 2009-05-06 20:17 -------- d-----w- c:\documents and settings\miki\Application Data\skypePM
2009-06-07 14:40 . 2009-04-14 18:46 -------- d-----w- c:\documents and settings\miki\Application Data\Apple Computer
2009-06-07 09:42 . 2009-04-09 19:23 30584 ----a-w- c:\documents and settings\miki\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 16:16 . 2009-04-14 18:38 -------- d-----w- c:\program files\Common Files\Apple
2009-06-06 12:45 . 2009-04-28 19:52 -------- d-----w- c:\program files\FolderAccess
2009-06-01 05:19 . 2009-04-09 21:30 -------- d-----w- c:\program files\uTorrent
2009-05-29 11:36 . 2009-04-14 18:39 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-29 11:36 . 2009-04-14 18:39 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-28 20:51 . 2009-05-09 02:09 -------- d-----w- c:\documents and settings\miki\Application Data\gtk-2.0
2009-05-28 01:00 . 2009-04-09 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-27 16:03 . 2009-04-09 19:16 -------- d-----w- c:\program files\Launch Manager
2009-05-09 08:40 . 2009-04-12 15:52 -------- d-----w- c:\program files\Winamp
2009-05-09 08:39 . 2009-04-12 15:52 -------- d-----w- c:\documents and settings\miki\Application Data\Winamp
2009-05-09 02:04 . 2009-05-09 02:04 -------- d-----w- c:\program files\GIMP-2.0
2009-05-06 20:17 . 2009-05-06 20:17 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-06 20:12 . 2009-05-06 20:12 -------- d-----r- c:\program files\Skype
2009-05-06 20:12 . 2009-05-06 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-06 20:12 . 2009-05-06 20:12 -------- d-----w- c:\program files\Common Files\Skype
2009-05-04 17:39 . 2009-05-04 17:39 -------- d-----w- c:\program files\VeryPDF PDF2Word v3.0
2009-05-04 17:28 . 2009-05-04 17:28 -------- d-----w- c:\program files\PDF Password Remover v3.0
2009-05-04 17:17 . 2009-04-12 15:42 -------- d-----w- c:\program files\Tweak PDF Converter
2009-05-03 16:37 . 2009-05-03 16:37 -------- d-----w- c:\documents and settings\miki\Application Data\DivX
2009-05-03 12:35 . 2009-05-03 12:35 -------- d-----w- c:\program files\Foxit Software
2009-05-03 12:35 . 2009-05-03 12:35 -------- d-----w- c:\documents and settings\miki\Application Data\Foxit
2009-05-03 12:07 . 2009-05-03 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-05-03 12:01 . 2009-05-03 12:01 -------- d-----w- c:\program files\DivX
2009-05-03 11:58 . 2009-05-03 11:58 -------- d-----w- c:\program files\MSXML 4.0
2009-05-03 11:55 . 2009-05-03 11:55 -------- d-----w- c:\program files\Pinnacle
2009-05-03 11:55 . 2009-04-09 19:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-02 19:30 . 2009-05-02 19:30 -------- d-----w- c:\documents and settings\miki\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-28 19:48 . 2009-04-28 19:31 -------- d-----w- c:\program files\Xilisoft
2009-04-25 09:03 . 2009-04-25 09:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-25 09:03 . 2009-04-09 18:59 -------- d-----w- c:\program files\Java
2009-04-24 17:42 . 2009-04-24 17:42 152576 ----a-w- c:\documents and settings\miki\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-23 17:23 . 2009-04-09 20:35 90112 ----a-w- c:\windows\DUMP5265.tmp
2009-04-14 20:04 . 2009-04-14 20:04 -------- d-----w- c:\documents and settings\miki\Application Data\Xilisoft Corporation
2009-04-14 19:50 . 2009-04-14 19:50 -------- d-----w- c:\program files\ffdshow
2009-04-14 19:31 . 2009-04-14 19:31 -------- d-----w- c:\program files\YouTube Downloader
2009-04-14 18:45 . 2009-04-14 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-14 18:45 . 2009-04-14 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-14 18:44 . 2009-04-14 18:44 -------- d-----w- c:\program files\Bonjour
2009-04-14 18:39 . 2009-04-14 18:39 -------- d-----w- c:\program files\Apple Software Update
2009-04-14 18:38 . 2009-04-14 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-04-09 20:46 . 2009-04-09 18:54 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-09 19:22 . 2009-04-09 19:22 127 ----a-w- c:\documents and settings\miki\Local Settings\Application Data\fusioncache.dat
2009-04-09 18:52 . 2009-04-09 18:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-03-30 18:01 . 2009-04-14 19:50 84480 ----a-w- c:\windows\system32\ff_vfw.dll
2009-03-30 18:01 . 2009-04-14 19:50 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-03-25 04:29 . 2009-04-09 19:26 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-19 14:32 . 2009-04-14 18:45 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 14:32 . 2009-03-19 14:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-16 16:42 . 2009-03-16 16:42 524288 ----a-w- c:\windows\opuc.dll
2009-03-16 16:42 . 2009-04-09 21:47 264704 ------w- c:\documents and settings\miki\Application Data\OfficeUpdate12\oudetect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-01-20 761946]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-07-28 57344]
"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2005-03-16 204800]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-07-25 81920]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-20 177472]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^miki^Start Menu^Programs^Startup^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=c:\documents and settings\miki\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=c:\windows\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 PctvVirtualNdis;Pinnacle Virtual Miniport;c:\windows\system32\drivers\PctvVirtualNdis.sys [5/3/2009 2:00 PM 13696]
S1 mailKmd;mailKmd; [x]
S3 Ltn_stk7070P;PCTV based TV tuner device;c:\windows\system32\drivers\Ltn_stk7070P.sys [5/3/2009 2:00 PM 466048]
S3 Ltn_stkrc;PCTV Infrared Receiver;c:\windows\system32\drivers\Ltn_stkrc.sys [5/3/2009 2:00 PM 13440]
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-12 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,24,38,06,b7,00,
48,45,07,c8,28,51,af,b0,29,a3,98,40,a1,56,b9,35,3f,7c,fe,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,3a,9c,37,b7,5f,
b5,75,df,71,3b,04,66,8b,46,0d,96,54,36,46,03,04,4e,7c,1b,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,08,51,24,b3,64,
e8,5f,e1,25,da,ec,7e,55,20,c9,26,25,89,96,3b,55,46,1c,58,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,25,1a,6c,8d,70,
01,16,dd,3e,1e,9e,e0,57,5a,93,61,c4,1e,43,34,8b,d5,48,02,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,58,bb,a5,98,3f,
82,14,56,cd,44,cd,b9,a6,33,6c,cd,5b,2c,e6,32,8a,53,43,cf,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,be,90,cd,a9,6e,
56,da,b0,b0,18,ed,a7,3f,8d,37,a4,68,03,bd,75,42,81,c6,f3,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,b3,51,5a,8e,d3,
8a,7d,8a,31,77,e1,ba,b1,f8,68,02,f1,c7,5b,b3,a9,e8,71,01,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,0e,35,75,78,cd,
0b,20,96,83,6c,56,8b,a0,85,96,ab,63,81,df,83,30,41,6c,49,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,76,70,0b,1d,b5,
13,b3,b6,51,fa,6e,91,28,9e,14,cc,d1,b7,70,b3,61,02,9b,af,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,90,9a,61,c6,d5,
05,a4,1a,b1,cd,45,5a,a8,c4,f8,b9,e3,e7,9c,7d,96,e5,c2,05,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,22,de,e6,95,34,
63,a0,e7,e3,0e,66,d5,eb,bc,2f,6b,bb,11,8f,ec,e1,20,73,61,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,7f,82,3c,a3,67,
8c,8a,cb,fa,ea,66,7f,d4,3b,6b,70,41,9c,78,ef,98,46,5e,af,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CF25371.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LckFldService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-12 17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 15:37

Pre-Run: 46,523,293,696 bytes free
Post-Run: 46,679,379,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

248


HJ:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:26 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LckFldService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\miki\Desktop\mk30\mk30.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [LMgrVolOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Con.....9306808109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com/microsoftupdate/v6/V5C.....9316833015
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe

--
End of file - 5663 bytes


hvala na pomoci ...

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Zbog čega sumnjaš na malware? Neki problem?

offline
  • Pridružio: 24 Okt 2007
  • Poruke: 122

mozda i nije, ali internet iako je veza ok, iako torrent radi perfektno, ni jednu stranicu ne mogu da otvorim. ni u operi ni u ie.

druga stvar, recimo kopiram iz jednog foldera u drugi neke stvari i odjednom mi prijavi neku gresku i zatvori sve explorere.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Zaboraviš da pomenem: zašto nemaš antivirus? Bez AV-a, samo je pitanje dana kada ćeš morati formatirati disk (jer će Windows biti toliko uništem od strane malware-a da mu neće biti pomoći).



Anyway, ne bih rekao da ovde postoji nešto maliciozno, no možemo odraditi još jednu proveru.


Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 24 Okt 2007
  • Poruke: 122

evo:

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Čisti logovi.


Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.



mirjanagb ::mozda i nije, ali internet iako je veza ok, iako torrent radi perfektno, ni jednu stranicu ne mogu da otvorim. ni u operi ni u ie.

Raspitaj se u: http://www.mycity.rs/Internet-klijenti/

mirjanagb ::druga stvar, recimo kopiram iz jednog foldera u drugi neke stvari i odjednom mi prijavi neku gresku i zatvori sve explorere.

Raspitaj se u: http://www.mycity.rs/Windows/

offline
  • Pridružio: 24 Okt 2007
  • Poruke: 122

ok ... hvala na pomoci!!!!

samo jedno pitanje:

sta je ovo sto je combofix obrisao, na samom pocetku log-a?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Obzirom na to da nisi ispratila uputstvo za otvaranje teme (idući put će ista biti obrisana), ne mogu precizno reći.
Kada bih nagađao, rekao bih da je obrisao jednog crva i jedan legitiman file.

Ko je trenutno na forumu
 

Ukupno su 825 korisnika na forumu :: 33 registrovanih, 8 sakrivenih i 784 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 8u47, A.R.Chafee.Jr., amaterSRB, Atomski čoban, Bane san, celik, chica, dac, Doca, dragoljub11987, dragon986, Drug pukovnik, ikan, kalens021, Kaplar2, ljuba, manda87, Mihajlo, nenad81, nik8282, panonski mornar, raskoljnikov, Recce, S-lash, sakota79, Smiljke, stegonosa, theNedjeljko, time, Trpe Grozni, Vlada1389, vlvl, Yellow Pinky