Molba - za provjeru loga

1

Molba - za provjeru loga

offline
  • Pridružio: 21 Dec 2007
  • Poruke: 35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:18, on 7.6.2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Ivana\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\Apntex.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Internet Bilo Gdje\Internet Bilo Gdje.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Ivana\Desktop\mycity\iii.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hr.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hr.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=030109 serial=DR12WVM-9451895-TBY lang=EN
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com/DE-CH/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A66390C-37F1-4179-AF6D-56BE200D52CB}: NameServer = 195.66.160.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9CBFAD1-816A-42F2-BC2F-9A2B60D6E8DF}: NameServer = 79.143.101.225 79.143.101.229
O17 - HKLM\System\CS3\Services\Tcpip\..\{31387091-4EB1-44E2-BB62-E4AE3CA7C33C}: NameServer = 195.66.160.1 195.66.160.2
O17 - HKLM\System\CS5\Services\Tcpip\..\{31387091-4EB1-44E2-BB62-E4AE3CA7C33C}: NameServer = 195.66.160.1 195.66.160.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0FO\r3hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12887 bytes

Racunar se cudno ponasa , u smislu da ponekad pocnu folderi da se otvaraju sami , kao i da se ponters pomjera bez kontakta misa ili Touch Pada , sto dovodi do sumnje da je zarazen nekim od virusa. Pomoc bi mi dobro dosla ...
Pozdrav.

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Uradicemo jednu proveru

Preuzmi sUBs-ov ComboFix sa jedne od sledećih adresa na Desktop:


Bleeping Computer . . . . . Geeks to Go!
Klikni desnim tasterom na neki od linkova i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
zatvori pokrenute programe;
deaktiviraj zaštitni softver (uputstvo);
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 21 Dec 2007
  • Poruke: 35

Evo ComboFix loga :

ComboFix 09-06-06.03 - Ivana 07.06.2009 12:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1250.387.1033.18.1790.1073 [GMT 2:00]
Running from: c:\users\Ivana\Desktop\mycity\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
c:\windows\system32\mpg4c32.dll
c:\windows\system32\x64
c:\windows\system32\x64\csnp2uvc.dll
c:\windows\system32\x64\rsnpvc64.dll
c:\windows\system32\x64\sncduvc.sys
c:\windows\system32\x64\snp2uvc.sys
c:\windows\system32\x64\vsnpvc64.dll

----- BITS: Possible infected sites -----

hxxp://au.downj+|Cv+@J:NGD_DQ{zZOmODrE
.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 10:45 . 2009-06-07 10:45 -------- d-----w- \Qoobox
2009-05-24 12:25 . 2009-05-24 12:25 -------- d-----w- c:\users\ANA\AppData\Local\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 10:54 . 2008-11-29 09:06 68131872 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-07 07:41 . 2008-11-01 11:16 -------- d-----w- c:\users\Ivana\AppData\Roaming\OpenOffice.org2
2009-06-07 07:40 . 2008-11-29 09:06 -------- d-----w- c:\programdata\Kaspersky Lab
2009-06-07 07:35 . 2008-02-21 20:39 1877921792 --sha-w- \hiberfil.sys
2009-06-07 07:35 . 2008-02-21 20:33 2191851520 --sha-w- \pagefile.sys
2009-06-07 00:31 . 2008-11-29 09:06 915320 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-06 17:24 . 2008-09-21 06:52 27335 ----a-w- c:\users\Ivana\AppData\Roaming\nvModes.dat
2009-06-02 19:48 . 2008-09-23 17:23 -------- d-----w- c:\users\Ivana\AppData\Roaming\Skype
2009-06-02 18:47 . 2008-09-23 17:25 -------- d-----w- c:\users\Ivana\AppData\Roaming\skypePM
2009-06-02 09:44 . 2008-10-20 07:32 3714 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-24 12:25 . 2008-10-20 16:26 135000 ----a-w- c:\users\ANA\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-24 12:24 . 2008-10-20 17:29 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-20 17:20 . 2008-11-29 09:08 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-20 17:20 . 2008-11-29 09:08 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-14 14:51 . 2007-07-25 10:51 -------- d-----w- c:\programdata\Microsoft Help
2009-05-10 22:12 . 2007-07-25 11:11 -------- d-----w- c:\programdata\Symantec
2009-05-10 22:12 . 2007-07-25 11:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-02 11:04 . 2008-09-20 19:59 135000 ----a-w- c:\users\Ivana\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 19:02 . 2009-05-01 19:01 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-01 19:02 . 2009-05-01 19:01 -------- d-----w- c:\program files\AVSMedia
2009-04-27 11:21 . 2008-10-06 11:14 680 ----a-w- c:\users\Ivana\AppData\Local\d3d9caps.dat
2009-04-20 00:08 . 2009-04-20 00:07 -------- d-----w- c:\program files\SweetIM
2009-04-20 00:07 . 2009-04-20 00:07 -------- d-----w- c:\programdata\SweetIM
2009-04-19 22:49 . 2009-04-19 22:49 -------- d-----w- c:\users\Ivana\AppData\Roaming\TeamViewer
2009-04-19 22:48 . 2009-04-19 22:48 -------- d-----w- c:\program files\TeamViewer
2009-04-04 13:02 . 2009-04-04 13:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-31 10:48 . 2008-11-29 09:44 148496 ----a-w- c:\programdata\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\X86\klif.sys
2009-03-17 03:16 . 2009-04-16 07:44 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-16 07:44 25600 ----a-w- c:\windows\system32\amxread.dll
2008-02-02 10:07 . 2008-11-01 11:54 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-11-01 11:54 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-11-01 11:54 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-11-01 11:54 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-11-01 11:54 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-20 17:41 . 2008-10-20 17:03 56 --sha-r- c:\windows\System32\56C0846811.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-27 1232896]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-08-15 772616]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-01 185872]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]

c:\users\Ivana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-10-12 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-25 535336]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0FO\adialhk.dll c:\progra~1\KASPER~1\KASPER~1.0FO\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D5107B99-FAD3-484B-B1FD-0F99B02215B0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{F2979B51-C7D7-4432-AC71-A5771C73BB2D}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{9C8B4F34-9FE3-4EEC-9D40-CAEA3189C548}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{A287267E-E282-4EE2-89E6-DBF838D4E07D}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{179BA678-BA29-417C-89CC-DBDDA57C6227}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{B62E537E-AB59-476B-94DF-A00F0F634573}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{FAD33FB2-4209-4112-8D51-61807884644F}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{64760618-B94F-4BB9-8288-4712EAF1DF40}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BC60FD24-9AEC-4E84-9C30-F8FA22DDCF5D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1774710C-4EB7-495B-A27D-F616CC5C7AE4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8E5E449A-0DD0-4184-BFCD-A38BA44EB719}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{49D9A35D-CAC4-4410-AAD0-C715DDBAF396}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2A107020-B78E-45E1-90D3-94195B4A503A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{67CFB47F-6126-44BB-9E36-D5AA634E255D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [4.4.2007 14:59 20760]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [21.2.2008 22:43 13560]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [25.7.2007 13:19 50688]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [22.11.2008 18:33 5120]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [25.7.2007 11:08 32256]
R3 usnjsvc;Usluga Messenger Sharing Folders USN Journal Reader;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [26.12.2008 21:29 80744]
.
Contents of the 'Scheduled Tasks' folder

2009-06-06 c:\windows\Tasks\User_Feed_Synchronization-{93C74123-D1A7-4AB2-957C-74894032109D}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-CorelDRAW Graphics Suite 11b - c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://hr.intl.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4A66390C-37F1-4179-AF6D-56BE200D52CB} = 195.66.160.1
TCP: {E9CBFAD1-816A-42F2-BC2F-9A2B60D6E8DF} = 79.143.101.225 79.143.101.229
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
FF - ProfilePath - c:\users\Ivana\AppData\Roaming\Mozilla\Firefox\Profiles\gtimsw0q.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.accept.default", "application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-06-07 12:59
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000008CB0E5D97A67F019E3 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\progra~1\KASPER~1\KASPER~1.0FO\r3hook.dll

- - - - - - - > 'lsass.exe'(672)
c:\progra~1\KASPER~1\KASPER~1.0FO\r3hook.dll
.
Completion time: 2009-06-07 13:02
ComboFix-quarantined-files.txt 2009-06-07 11:02

Pre-Run: 62.020.845.568 bytes free
Post-Run: 61.998.108.672 bytes free

244 --- E O F --- 2009-05-15 11:29

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Zipuj/raruj mi sledeci folder:

c:\qoobox i posalji mi ga preko sledeceg linka:

http://www.mycity.rs/ambulanta-upload.php


Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 21 Dec 2007
  • Poruke: 35

Upload-ovala sam Goobox. Pri prvom skeniranju gmer.exe racunar se restartovao...
mycity.rs/must-login.png

mycity.rs/must-login.png

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

@anaivana nastavicemo sutra, kasno je sad da gledam logove, veliki su Smile

offline
  • Pridružio: 21 Dec 2007
  • Poruke: 35

Vazi ... Hvala !
Pozdrav :-)

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Iskljuci ponovo antivirus.

Otvoriti Notepad i iskopirati sledeci tekst:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\Windows\System32\mpg4c32.dll.vir
C:\Qoobox\Quarantine\C\Windows\System32\x64
QUIT::


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Dec 2007
  • Poruke: 35

Evo i loga nakon ciscenja :

C:\Qoobox\Quarantine\C\Windows\System32\mpg4c32.dll.vir -> C:\Windows\System32\mpg4c32.dll ( 413760 bytes )
C:\Qoobox\Quarantine\C\Windows\System32\x64\csnp2uvc.dll -> C:\Windows\System32\x64\csnp2uvc.dll
C:\Qoobox\Quarantine\C\Windows\System32\x64\rsnpvc64.dll -> C:\Windows\System32\x64\rsnpvc64.dll
C:\Qoobox\Quarantine\C\Windows\System32\x64\sncduvc.sys -> C:\Windows\System32\x64\sncduvc.sys
C:\Qoobox\Quarantine\C\Windows\System32\x64\snp2uvc.sys -> C:\Windows\System32\x64\snp2uvc.sys
C:\Qoobox\Quarantine\C\Windows\System32\x64\vsnpvc64.dll -> C:\Windows\System32\x64\vsnpvc64.dll
5 File(s) copied

rip
  • argus  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 27 Apr 2008
  • Poruke: 9160
  • Gde živiš: Prokuplje

Kazi mi kakvo je stanje sada ?

Ko je trenutno na forumu
 

Ukupno su 770 korisnika na forumu :: 12 registrovanih, 2 sakrivenih i 756 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Boris90, Bubimir, dane007, esx66, goxin, Koridor, miodrag, mrav pesadinac, sasa87, SlaKoj, strelac07