Nepoznati procesi, Bad image exe-i itd

Nepoznati procesi, Bad image exe-i itd

offline
  • Pridružio: 15 Jan 2011
  • Poruke: 4
  • Gde živiš: Bijeljina

Pozdrav,
Vec duze vreme imam problema sa racunarom, prvo je usporio, zatim se pocele pojavljivati neke dial up konekcije i zatim nisam uopste mogla dici sistem.
Uspjela sam uci u safe mod i pokazalo se da avast (tacnije posle produzenja licence i najnovijeg updatea, nije se mogao dici sistem) pravi problem i njegovim brisanjem uspela sam dici sistem. Ali nekad jednostavno cim se ulogujem resetuje se racunar, a nekad i posle duzeg rada.
Uglavnom u task menager-u vidjela sam neke procese koji tu prije nisu bili.
Koristila sam avast, malwarebytes i cc cleaner.
Takodje imam i nekoliko zarazenih usb-ova koji mi prave problem.
Zahvaljujem se unapred na pomoci.
Evo logova.


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 17:09:59,06 on sub 22.01.2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.767.526 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\nadool.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ovislink\Common\TurboG-UI.exe
C:\WINDOWS\system32\vouhyg.exe
C:\WINDOWS\system32\coucykerou.exe
svchost.exe
C:\WINDOWS\system32\foofowi.exe
C:\WINDOWS\TEMP\gmgodo19A0154A.tmp
C:\WINDOWS\TEMP\go1B4EB371.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\gmgodo19A0154A.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\gmgodo19A0154A.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\go1B4EB371.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\go1B4EB371.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\pxvdmdohwrnf037A5265.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\zhrxn0194F45E.tmp
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2124320
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKman000&fl=0&ptb=.IyBejtO0LB4z.acBoa1EQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\documents and settings\user\application data\juzjf.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-3452635147-3726938487-066082052-3088\yv8g67.exe,c:\documents and settings\user\application data\nsvb.exe,explorer.exe,c:\documents and settings\user\application data\juzjf.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSConfig] c:\documents and settings\user\oionrul.exe \u
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [baressut] c:\windows\system32\foofowi.exe
mRun: [vageg] c:\windows\system32\vouhyg.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [vageg] c:\documents and settings\localservice\application data\microsoft\coucykerou.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\00zbyud.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\01niqlr.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\0rtqspr.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\1brgynl.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\1lgywtl.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\1rluoxr.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\1rtwcjn.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\1zasbvd.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\55iajdm.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\56cnxit.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\5gqbmgz.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\5qurtqs.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\5sedlgy.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\6ebdacz.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\aidz001hui.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\arbm01xlao.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\auwzq00vr.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\bbicrzt0.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\bjycc55uq.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\bvksnly00.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\c55swvzjokt.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\canrlkm55.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\dlwmpl00.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\ed56ebdaczb.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\egjfmc55.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\fxluixhg.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\fziclfoi.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\g01nsktnwqy.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\gopvgkhj.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\grbmwhs0.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\hof56izfio.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\hpmojxga.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\ht01tnwutpi.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\idfcud56s.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\igbn001xg.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\irpiabr0.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\je01fzowtzo.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\k556sldrakp.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\khj00flcqz.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\kntuqjju.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\le01zkufpal.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\lgo55uubby.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\lpq01pysav.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\m56ilhemavl.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\midfcud5.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\milhkgj5.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\mntykhlq.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\npsp56gtrz.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\nuixhg01n.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\nwqy55wezh.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\o55qmpvwyvx.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\p001dxgupre.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\pbgaj56wkt.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\peolh001v.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\qaflscgd.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\rawtlkg5.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\ruqt5sorlq.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\rzu01daczlf.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\surtqs55o.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\toi56uohve.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\tuimtaog.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\u0npsurtqs5.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\viyhs00jr.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\vokd56oirl.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\voo55owtle.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\vqsvruqt.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\wezh001rcm.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\whr00jxwoh.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\wo55audxgai.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\wsbl00flcq.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\wxd001bpye.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\x56yvxuwtvs.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\xaqblwg5.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\xrzuc556w.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\y01lpmolnog.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\ybn00vbwof.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\yirtqgbh.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\ynp00fbead.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\zfaiifh0.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\zhgi56uoh.exe
StartupFolder: c:\documents and settings\user\start menu\programs\startup\zt01pembrqm.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\airliv~1.lnk - c:\program files\ovislink\common\TurboG-UI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5}
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223056243652
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {2B0F3E87-2761-4409-B3CE-EE706ABD059C} = 79.143.173.161 79.143.172.3
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - c:\windows\system32\textwareilluminatorbaseProtocol.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\hngiuscv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2321365&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZaMRadio Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 byocclmt;byocclmt;c:\windows\system32\drivers\byocclmt.sys [2011-1-10 40128]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-15 54752]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2003-7-8 585728]
S0 tklpi;tklpi;c:\windows\system32\drivers\ejdjisu.sys --> c:\windows\system32\drivers\ejdjisu.sys [?]
S2 q5ymg2u2;Ati HotKey Poller;c:\windows\system32\nadool.exe [2011-1-22 229888]
S2 tekuaeelug;BsHelpCS;c:\windows\system32\sakouvoo.exe [2011-1-22 229888]
S3 cpuz132;cpuz132;\??\c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;"c:\program files\windows live\family safety\fsssvc.exe" --> c:\program files\windows live\family safety\fsssvc.exe [?]
S3 gkmixern;gkmixern;\??\c:\docume~1\user\locals~1\temp\gkmixern.sys --> c:\docume~1\user\locals~1\temp\gkmixern.sys [?]

=============== Created Last 30 ================

2011-01-22 11:34:09 229888 ----a-w- c:\windows\system32\nadool.exe
2011-01-22 11:29:06 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlcB.tmp
2011-01-22 10:55:13 229888 ----a-w- c:\windows\system32\sakouvoo.exe
2011-01-22 10:50:22 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc22.tmp
2011-01-22 10:40:30 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc1B.tmp
2011-01-19 11:37:06 739840 ----a-w- c:\windows\system32\drivers\boxtcblcx.sys
2011-01-16 19:17:31 151040 --sh--r- c:\docume~1\user\applic~1\nsvb.exe
2011-01-12 16:15:07 229888 ----a-w- c:\windows\system32\foofowi.exe
2011-01-11 21:30:15 18944 ---ha-w- c:\documents and settings\user\oionrul.exe
2011-01-11 21:30:04 229888 ----a-w- c:\windows\system32\vouhyg.exe
2011-01-10 22:41:47 40128 ----a-w- c:\windows\system32\drivers\byocclmt.sys
2011-01-10 21:26:00 18944 ---ha-w- c:\documents and settings\user\rjs.exe
2011-01-10 21:25:33 229888 ----a-w- c:\windows\system32\coucykerou.exe
2011-01-10 21:24:31 113152 --sh--r- c:\docume~1\user\applic~1\juzjf.exe

==================== Find3M ====================


============= FINISH: 17:10:50,49 ===============

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Zdravo,

Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • Pridružio: 15 Jan 2011
  • Poruke: 4
  • Gde živiš: Bijeljina

Izvinite sto kasnim, nije hteo da se pokrene u normalnom radu ostavila sam ga sat vremena ali nije mogao da se pokrene pa sam odradila iz safe moda, nadam se da nisam pogresila. Evo loga

ComboFix 11-01-22.01 - User 22.01.2011 21:27:23.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.767.623 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\juzjf.exe
c:\documents and settings\User\Application Data\nsvb.exe
c:\documents and settings\User\Local Settings\Application Data\3098567375.dll
c:\documents and settings\User\Local Settings\Application Data\av.exe
c:\documents and settings\User\Local Settings\Application Data\ave.exe
c:\documents and settings\User\oionrul.exe
c:\documents and settings\User\rjs.exe
c:\documents and settings\User\secupdat.dat
c:\recycler\S-1-5-21-3452635147-3726938487-066082052-3088\yv8g67.exe
c:\windows\system32\Drivers\byocclmt.sys
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_byocclmt
-------\Service_byocclmt


((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

2011-01-22 11:29 . 2011-01-22 11:29 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlcB.tmp
2011-01-22 10:55 . 2011-01-22 11:33 229888 ----a-w- c:\windows\system32\sakouvoo.exe
2011-01-22 10:50 . 2011-01-22 10:50 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc22.tmp
2011-01-22 10:40 . 2011-01-22 10:41 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc1B.tmp
2011-01-19 11:37 . 2011-01-22 20:35 739840 ----a-w- c:\windows\system32\drivers\boxtcblcx.sys
2011-01-12 16:15 . 2011-01-22 16:04 229888 ----a-w- c:\windows\system32\foofowi.exe
2011-01-11 21:30 . 2011-01-22 12:51 229888 ----a-w- c:\windows\system32\vouhyg.exe
2011-01-10 21:25 . 2011-01-22 11:33 229888 ----a-w- c:\windows\system32\coucykerou.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"nwiz"="nwiz.exe" [2004-04-23 831488]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-04-23 46080]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]
"baressut"="c:\windows\system32\foofowi.exe" [2011-01-22 229888]
"vageg"="c:\windows\system32\coucykerou.exe" [2011-01-22 229888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\
00zbyud.exe [2011-1-21 42496]
01niqlr.exe [2011-1-21 42496]
0rtqspr.exe [2011-1-20 43008]
1brgynl.exe [2011-1-20 43008]
1lgywtl.exe [2011-1-20 43008]
1rluoxr.exe [2011-1-13 43008]
1rtwcjn.exe [2011-1-12 43008]
1zasbvd.exe [2011-1-13 43008]
55iajdm.exe [2011-1-22 42496]
56cnxit.exe [2011-1-22 43008]
5gqbmgz.exe [2011-1-20 43008]
5qurtqs.exe [2011-1-11 42496]
5sedlgy.exe [2011-1-21 43008]
6ebdacz.exe [2011-1-17 42496]
aidz001hui.exe [2011-1-19 42496]
arbm01xlao.exe [2011-1-12 42496]
auwzq00vr.exe [2011-1-12 43008]
bbicrzt0.exe [2011-1-22 43008]
bjycc55uq.exe [2011-1-12 43008]
bvksnly00.exe [2011-1-22 42496]
c55swvzjokt.exe [2011-1-12 42496]
canrlkm55.exe [2011-1-12 42496]
dlwmpl00.exe [2011-1-22 43008]
ed56ebdaczb.exe [2011-1-17 43008]
egjfmc55.exe [2011-1-22 43008]
fxluixhg.exe [2011-1-21 43008]
fziclfoi.exe [2011-1-22 43008]
g01nsktnwqy.exe [2011-1-18 43008]
gopvgkhj.exe [2011-1-22 42496]
grbmwhs0.exe [2011-1-22 42496]
hof56izfio.exe [2011-1-19 42496]
hpmojxga.exe [2011-1-12 43008]
ht01tnwutpi.exe [2011-1-19 43008]
idfcud56s.exe [2011-1-19 43008]
igbn001xg.exe [2011-1-21 43008]
irpiabr0.exe [2011-1-22 43008]
je01fzowtzo.exe [2011-1-21 42496]
k556sldrakp.exe [2011-1-21 43008]
khj00flcqz.exe [2011-1-18 43008]
kntuqjju.exe [2011-1-21 42496]
le01zkufpal.exe [2011-1-12 43008]
lgo55uubby.exe [2011-1-19 42496]
lpq01pysav.exe [2011-1-18 43008]
m56ilhemavl.exe [2011-1-20 42496]
midfcud5.exe [2011-1-19 43008]
milhkgj5.exe [2011-1-20 42496]
mntykhlq.exe [2011-1-21 43008]
npsp56gtrz.exe [2011-1-15 43008]
nuixhg01n.exe [2011-1-21 42496]
nwqy55wezh.exe [2011-1-18 42496]
o55qmpvwyvx.exe [2011-1-22 43008]
p001dxgupre.exe [2011-1-18 43008]
pbgaj56wkt.exe [2011-1-12 43008]
peolh001v.exe [2011-1-22 42496]
qaflscgd.exe [2011-1-22 43008]
rawtlkg5.exe [2011-1-20 42496]
ruqt5sorlq.exe [2011-1-13 42496]
rzu01daczlf.exe [2011-1-21 43008]
surtqs55o.exe [2011-1-13 42496]
toi56uohve.exe [2011-1-15 42496]
tuimtaog.exe [2011-1-19 43008]
u0npsurtqs5.exe [2011-1-12 42496]
viyhs00jr.exe [2011-1-21 43008]
vokd56oirl.exe [2011-1-20 43008]
voo55owtle.exe [2011-1-19 43008]
vqsvruqt.exe [2011-1-13 43008]
wezh001rcm.exe [2011-1-22 43008]
whr00jxwoh.exe [2011-1-14 42496]
wo55audxgai.exe [2011-1-17 43008]
wsbl00flcq.exe [2011-1-18 42496]
wxd001bpye.exe [2011-1-14 43008]
x56yvxuwtvs.exe [2011-1-11 43008]
xaqblwg5.exe [2011-1-13 43008]
xrzuc556w.exe [2011-1-11 43008]
y01lpmolnog.exe [2011-1-15 43008]
ybn00vbwof.exe [2011-1-14 43008]
yirtqgbh.exe [2011-1-21 43008]
ynp00fbead.exe [2011-1-20 43008]
zfaiifh0.exe [2011-1-19 43008]
zhgi56uoh.exe [2011-1-15 43008]
zt01pembrqm.exe [2011-1-22 43008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AirLive Turbo-G Wireless Utility.lnk - c:\program files\Ovislink\Common\TurboG-UI.exe [2008-8-9 614400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Multimedia keyboard driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Multimedia keyboard driver.lnk
backup=c:\windows\pss\Multimedia keyboard driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^5knns01.exe]
path=c:\documents and settings\User\Start Menu\Programs\Startup\5knns01.exe
backup=c:\windows\pss\5knns01.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^ebtedm03.exe]
path=c:\documents and settings\User\Start Menu\Programs\Startup\ebtedm03.exe
backup=c:\windows\pss\ebtedm03.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^euz5mcratj.exe]
path=c:\documents and settings\User\Start Menu\Programs\Startup\euz5mcratj.exe
backup=c:\windows\pss\euz5mcratj.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
c:\documents and settings\User\rjs.exe \u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\baressut]
2011-01-22 12:51 229888 ----a-w- c:\windows\system32\vouhyg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Barsaka]
2008-04-14 03:42 1033728 ----a-w- c:\windows\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]
2006-11-03 09:01 319488 ----a-w- c:\windows\PixArt\PAC7302\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-22 23:45 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vageg]
2011-01-22 12:51 229888 ----a-w- c:\windows\system32\coucykerou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 tklpi;tklpi;c:\windows\system32\drivers\ejdjisu.sys --> c:\windows\system32\drivers\ejdjisu.sys [?]
S2 q5ymg2u2;Ati HotKey Poller;c:\windows\system32\nadool.exe --> c:\windows\system32\nadool.exe [?]
S2 tekuaeelug;BsHelpCS;c:\windows\system32\sakouvoo.exe [22.1.2011 11:55 229888]
S3 gkmixern;gkmixern;\??\c:\docume~1\User\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\User\LOCALS~1\Temp\gkmixern.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - boxtcblcx
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2124320
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKman000&fl=0&ptb=.IyBejtO0LB4z.acBoa1EQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hngiuscv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2321365&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZaMRadio Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-byocclmt.sys
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL
MSConfigStartUp-WinampAgent - c:\documents and settings\User\My Documents\Natasa\IGRICE\Winamp\winampa.exe
AddRemove-HijackThis - c:\program files\Trend Micro\lala\HijackThis.exe
AddRemove-Tarzan Action Game - c:\progra~1\DISNEY~1\TARZAN~1\DeIsL1.isu
AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-01-22 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\boxtcblcx]

.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2011-01-22 21:40:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-22 20:40

Pre-Run: 12.058.583.040 bytes free
Post-Run: 12.269.379.584 bytes free

- - End Of File - - C9ACF800F25C392C1D3C58FFB7492C8C

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:

KillAll::

File::
c:\program files\Common Files\Windows Live\.cache\wlcB.tmp
c:\windows\system32\sakouvoo.exe
c:\program files\Common Files\Windows Live\.cache\wlc22.tmp
c:\program files\Common Files\Windows Live\.cache\wlc1B.tmp
c:\windows\system32\drivers\boxtcblcx.sys
c:\windows\system32\foofowi.exe
c:\windows\system32\vouhyg.exe
c:\windows\system32\coucykerou.exe
c:\documents and settings\User\Start Menu\Programs\Startup\00zbyud.exe
c:\documents and settings\User\Start Menu\Programs\Startup\01niqlr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\0rtqspr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1brgynl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1lgywtl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1rluoxr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1rtwcjn.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1zasbvd.exe
c:\documents and settings\User\Start Menu\Programs\Startup\55iajdm.exe
c:\documents and settings\User\Start Menu\Programs\Startup\56cnxit.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5gqbmgz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5qurtqs.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5sedlgy.exe
c:\documents and settings\User\Start Menu\Programs\Startup\6ebdacz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\aidz001hui.exe
c:\documents and settings\User\Start Menu\Programs\Startup\arbm01xlao.exe
c:\documents and settings\User\Start Menu\Programs\Startup\auwzq00vr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bbicrzt0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bjycc55uq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bvksnly00.exe
c:\documents and settings\User\Start Menu\Programs\Startup\c55swvzjokt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\canrlkm55.exe
c:\documents and settings\User\Start Menu\Programs\Startup\dlwmpl00.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ed56ebdaczb.exe
c:\documents and settings\User\Start Menu\Programs\Startup\egjfmc55.exe
c:\documents and settings\User\Start Menu\Programs\Startup\fxluixhg.exe
c:\documents and settings\User\Start Menu\Programs\Startup\fziclfoi.exe
c:\documents and settings\User\Start Menu\Programs\Startup\g01nsktnwqy.exe
c:\documents and settings\User\Start Menu\Programs\Startup\gopvgkhj.exe
c:\documents and settings\User\Start Menu\Programs\Startup\grbmwhs0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\hof56izfio.exe
c:\documents and settings\User\Start Menu\Programs\Startup\hpmojxga.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ht01tnwutpi.exe
c:\documents and settings\User\Start Menu\Programs\Startup\idfcud56s.exe
c:\documents and settings\User\Start Menu\Programs\Startup\igbn001xg.exe
c:\documents and settings\User\Start Menu\Programs\Startup\irpiabr0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\je01fzowtzo.exe
c:\documents and settings\User\Start Menu\Programs\Startup\k556sldrakp.exe
c:\documents and settings\User\Start Menu\Programs\Startup\khj00flcqz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\kntuqjju.exe
c:\documents and settings\User\Start Menu\Programs\Startup\le01zkufpal.exe
c:\documents and settings\User\Start Menu\Programs\Startup\lgo55uubby.exe
c:\documents and settings\User\Start Menu\Programs\Startup\lpq01pysav.exe
c:\documents and settings\User\Start Menu\Programs\Startup\m56ilhemavl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\midfcud5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\milhkgj5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\mntykhlq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\npsp56gtrz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\nuixhg01n.exe
c:\documents and settings\User\Start Menu\Programs\Startup\nwqy55wezh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\o55qmpvwyvx.exe
c:\documents and settings\User\Start Menu\Programs\Startup\p001dxgupre.exe
c:\documents and settings\User\Start Menu\Programs\Startup\pbgaj56wkt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\peolh001v.exe
c:\documents and settings\User\Start Menu\Programs\Startup\qaflscgd.exe
c:\documents and settings\User\Start Menu\Programs\Startup\rawtlkg5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ruqt5sorlq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\rzu01daczlf.exe
c:\documents and settings\User\Start Menu\Programs\Startup\surtqs55o.exe
c:\documents and settings\User\Start Menu\Programs\Startup\toi56uohve.exe
c:\documents and settings\User\Start Menu\Programs\Startup\tuimtaog.exe
c:\documents and settings\User\Start Menu\Programs\Startup\u0npsurtqs5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\viyhs00jr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\vokd56oirl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\voo55owtle.exe
c:\documents and settings\User\Start Menu\Programs\Startup\vqsvruqt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wezh001rcm.exe
c:\documents and settings\User\Start Menu\Programs\Startup\whr00jxwoh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wo55audxgai.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wsbl00flcq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wxd001bpye.exe
c:\documents and settings\User\Start Menu\Programs\Startup\x56yvxuwtvs.exe
c:\documents and settings\User\Start Menu\Programs\Startup\xaqblwg5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\xrzuc556w.exe
c:\documents and settings\User\Start Menu\Programs\Startup\y01lpmolnog.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ybn00vbwof.exe
c:\documents and settings\User\Start Menu\Programs\Startup\yirtqgbh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ynp00fbead.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zfaiifh0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zhgi56uoh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zt01pembrqm.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5knns01.exe
c:\windows\pss\5knns01.exeStartup
c:\documents and settings\User\Start Menu\Programs\Startup\ebtedm03.exe
c:\windows\pss\ebtedm03.exeStartup
c:\documents and settings\User\Start Menu\Programs\Startup\euz5mcratj.exe
c:\windows\pss\euz5mcratj.exeStartup
c:\documents and settings\User\rjs.exe
c:\windows\system32\drivers\ejdjisu.sys
c:\windows\system32\nadool.exe
c:\docume~1\User\LOCALS~1\Temp\gkmixern.sys


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baressut"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vageg"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^5knns01.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^ebtedm03.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^euz5mcratj.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\baressut]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Barsaka]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vageg]



Driver::
tklpi
q5ymg2u2
tekuaeelug
gkmixern


DDS::
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKman000&fl=0&ptb=.IyBejtO0LB4z.acBoa1EQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 15 Jan 2011
  • Poruke: 4
  • Gde živiš: Bijeljina

Evo loga:

ComboFix 11-01-22.01 - User 23.01.2011 0:09.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.385.1033.18.767.536 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::
"c:\docume~1\User\LOCALS~1\Temp\gkmixern.sys"
"c:\documents and settings\User\rjs.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\00zbyud.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\01niqlr.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\0rtqspr.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\1brgynl.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\1lgywtl.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\1rluoxr.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\1rtwcjn.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\1zasbvd.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\55iajdm.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\56cnxit.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\5gqbmgz.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\5knns01.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\5qurtqs.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\5sedlgy.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\6ebdacz.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\aidz001hui.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\arbm01xlao.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\auwzq00vr.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\bbicrzt0.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\bjycc55uq.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\bvksnly00.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\c55swvzjokt.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\canrlkm55.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\dlwmpl00.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ebtedm03.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ed56ebdaczb.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\egjfmc55.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\euz5mcratj.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\fxluixhg.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\fziclfoi.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\g01nsktnwqy.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\gopvgkhj.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\grbmwhs0.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\hof56izfio.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\hpmojxga.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ht01tnwutpi.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\idfcud56s.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\igbn001xg.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\irpiabr0.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\je01fzowtzo.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\k556sldrakp.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\khj00flcqz.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\kntuqjju.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\le01zkufpal.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\lgo55uubby.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\lpq01pysav.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\m56ilhemavl.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\midfcud5.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\milhkgj5.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\mntykhlq.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\npsp56gtrz.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\nuixhg01n.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\nwqy55wezh.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\o55qmpvwyvx.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\p001dxgupre.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\pbgaj56wkt.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\peolh001v.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\qaflscgd.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\rawtlkg5.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ruqt5sorlq.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\rzu01daczlf.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\surtqs55o.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\toi56uohve.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\tuimtaog.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\u0npsurtqs5.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\viyhs00jr.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\vokd56oirl.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\voo55owtle.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\vqsvruqt.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\wezh001rcm.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\whr00jxwoh.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\wo55audxgai.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\wsbl00flcq.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\wxd001bpye.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\x56yvxuwtvs.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\xaqblwg5.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\xrzuc556w.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\y01lpmolnog.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ybn00vbwof.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\yirtqgbh.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\ynp00fbead.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\zfaiifh0.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\zhgi56uoh.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\zt01pembrqm.exe"
"c:\program files\Common Files\Windows Live\.cache\wlc1B.tmp"
"c:\program files\Common Files\Windows Live\.cache\wlc22.tmp"
"c:\program files\Common Files\Windows Live\.cache\wlcB.tmp"
"c:\windows\pss\5knns01.exeStartup"
"c:\windows\pss\ebtedm03.exeStartup"
"c:\windows\pss\euz5mcratj.exeStartup"
"c:\windows\system32\coucykerou.exe"
"c:\windows\system32\drivers\boxtcblcx.sys"
"c:\windows\system32\drivers\ejdjisu.sys"
"c:\windows\system32\foofowi.exe"
"c:\windows\system32\nadool.exe"
"c:\windows\system32\sakouvoo.exe"
"c:\windows\system32\vouhyg.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Start Menu\Programs\Startup\00zbyud.exe
c:\documents and settings\User\Start Menu\Programs\Startup\01niqlr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\0rtqspr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1brgynl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1lgywtl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1rluoxr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1rtwcjn.exe
c:\documents and settings\User\Start Menu\Programs\Startup\1zasbvd.exe
c:\documents and settings\User\Start Menu\Programs\Startup\55iajdm.exe
c:\documents and settings\User\Start Menu\Programs\Startup\56cnxit.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5gqbmgz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5qurtqs.exe
c:\documents and settings\User\Start Menu\Programs\Startup\5sedlgy.exe
c:\documents and settings\User\Start Menu\Programs\Startup\6ebdacz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\aidz001hui.exe
c:\documents and settings\User\Start Menu\Programs\Startup\arbm01xlao.exe
c:\documents and settings\User\Start Menu\Programs\Startup\auwzq00vr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bbicrzt0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bjycc55uq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\bvksnly00.exe
c:\documents and settings\User\Start Menu\Programs\Startup\c55swvzjokt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\canrlkm55.exe
c:\documents and settings\User\Start Menu\Programs\Startup\dlwmpl00.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ed56ebdaczb.exe
c:\documents and settings\User\Start Menu\Programs\Startup\egjfmc55.exe
c:\documents and settings\User\Start Menu\Programs\Startup\fxluixhg.exe
c:\documents and settings\User\Start Menu\Programs\Startup\fziclfoi.exe
c:\documents and settings\User\Start Menu\Programs\Startup\g01nsktnwqy.exe
c:\documents and settings\User\Start Menu\Programs\Startup\gopvgkhj.exe
c:\documents and settings\User\Start Menu\Programs\Startup\grbmwhs0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\hof56izfio.exe
c:\documents and settings\User\Start Menu\Programs\Startup\hpmojxga.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ht01tnwutpi.exe
c:\documents and settings\User\Start Menu\Programs\Startup\idfcud56s.exe
c:\documents and settings\User\Start Menu\Programs\Startup\igbn001xg.exe
c:\documents and settings\User\Start Menu\Programs\Startup\irpiabr0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\je01fzowtzo.exe
c:\documents and settings\User\Start Menu\Programs\Startup\k556sldrakp.exe
c:\documents and settings\User\Start Menu\Programs\Startup\khj00flcqz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\kntuqjju.exe
c:\documents and settings\User\Start Menu\Programs\Startup\le01zkufpal.exe
c:\documents and settings\User\Start Menu\Programs\Startup\lgo55uubby.exe
c:\documents and settings\User\Start Menu\Programs\Startup\lpq01pysav.exe
c:\documents and settings\User\Start Menu\Programs\Startup\m56ilhemavl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\midfcud5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\milhkgj5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\mntykhlq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\npsp56gtrz.exe
c:\documents and settings\User\Start Menu\Programs\Startup\nuixhg01n.exe
c:\documents and settings\User\Start Menu\Programs\Startup\nwqy55wezh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\o55qmpvwyvx.exe
c:\documents and settings\User\Start Menu\Programs\Startup\p001dxgupre.exe
c:\documents and settings\User\Start Menu\Programs\Startup\pbgaj56wkt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\peolh001v.exe
c:\documents and settings\User\Start Menu\Programs\Startup\qaflscgd.exe
c:\documents and settings\User\Start Menu\Programs\Startup\rawtlkg5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ruqt5sorlq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\rzu01daczlf.exe
c:\documents and settings\User\Start Menu\Programs\Startup\surtqs55o.exe
c:\documents and settings\User\Start Menu\Programs\Startup\toi56uohve.exe
c:\documents and settings\User\Start Menu\Programs\Startup\tuimtaog.exe
c:\documents and settings\User\Start Menu\Programs\Startup\u0npsurtqs5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\viyhs00jr.exe
c:\documents and settings\User\Start Menu\Programs\Startup\vokd56oirl.exe
c:\documents and settings\User\Start Menu\Programs\Startup\voo55owtle.exe
c:\documents and settings\User\Start Menu\Programs\Startup\vqsvruqt.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wezh001rcm.exe
c:\documents and settings\User\Start Menu\Programs\Startup\whr00jxwoh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wo55audxgai.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wsbl00flcq.exe
c:\documents and settings\User\Start Menu\Programs\Startup\wxd001bpye.exe
c:\documents and settings\User\Start Menu\Programs\Startup\x56yvxuwtvs.exe
c:\documents and settings\User\Start Menu\Programs\Startup\xaqblwg5.exe
c:\documents and settings\User\Start Menu\Programs\Startup\xrzuc556w.exe
c:\documents and settings\User\Start Menu\Programs\Startup\y01lpmolnog.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ybn00vbwof.exe
c:\documents and settings\User\Start Menu\Programs\Startup\yirtqgbh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\ynp00fbead.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zfaiifh0.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zhgi56uoh.exe
c:\documents and settings\User\Start Menu\Programs\Startup\zt01pembrqm.exe
c:\program files\Common Files\Windows Live\.cache\wlc1B.tmp
c:\program files\Common Files\Windows Live\.cache\wlc22.tmp
c:\program files\Common Files\Windows Live\.cache\wlcB.tmp
c:\windows\pss\5knns01.exeStartup
c:\windows\pss\ebtedm03.exeStartup
c:\windows\pss\euz5mcratj.exeStartup
c:\windows\system32\coucykerou.exe
c:\windows\system32\drivers\boxtcblcx.sys
c:\windows\system32\foofowi.exe
c:\windows\system32\sakouvoo.exe
c:\windows\system32\vouhyg.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Q5YMG2U2
-------\Legacy_TEKUAEELUG
-------\Service_gkmixern
-------\Service_q5ymg2u2
-------\Service_tekuaeelug
-------\Service_tklpi
-------\Legacy_boxtcblcx
-------\Service_boxtcblcx


((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"nwiz"="nwiz.exe" [2004-04-23 831488]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-04-23 46080]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 67072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AirLive Turbo-G Wireless Utility.lnk - c:\program files\Ovislink\Common\TurboG-UI.exe [2008-8-9 614400]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Multimedia keyboard driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Multimedia keyboard driver.lnk
backup=c:\windows\pss\Multimedia keyboard driver.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]
2006-11-03 09:01 319488 ----a-w- c:\windows\PixArt\PAC7302\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-22 23:45 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2124320
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKman000&fl=0&ptb=.IyBejtO0LB4z.acBoa1EQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {2B0F3E87-2761-4409-B3CE-EE706ABD059C} = 79.143.173.161 79.143.172.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hngiuscv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2321365&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZaMRadio Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-01-23 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2011-01-23 00:20:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-22 23:20
ComboFix2.txt 2011-01-22 20:40

Pre-Run: 12.250.066.944 bytes free
Post-Run: 11.952.062.464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - A574DFD02C004E59E097DACE3E833B4C

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save scrambled log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 15 Jan 2011
  • Poruke: 4
  • Gde živiš: Bijeljina

Prvo sam ubacila USB flash drive, a posle njega mp3 plejer.

USBNoRisk 2.7 (28 December 2010) by bobby

Started at 23.1.2011 12:11:37

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {93d926e0-7433-11d9-9366-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 93d926e0-7433-11d9-9366-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 23.1.2011 12:11:50

Scanning for connected USB mass storage...
----------------------------------------

========================================
New drive connected, but USBNoRisk can't find it
========================================

========================================

========================================


New device connected at 23.1.2011 12:12:13

Scanning for connected USB mass storage...
----------------------------------------
E: {6deaafc0-d74c-11dc-bcf4-000fea73f7d5}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully

Content of E:\autorun.inf.blocked
----------------------------------------
;7V486579t6M16
[autorun]
;dK525J486S4Z72T1
open=yam.exe
;Dw8\8[U5Vi5PY\=x2541x72wz13v[6N[4L=r\tv268Yf
icon=%SystemRoot%\System32\SHELL32.dll,4
;Dq9n32nX04hM8xkL934TNb222j7%a587EGIdr%WNc15c
;eMKai77jO6hsG6bq02e41s3P5Q7ClP5v
shell\\open\\command=yam.exe
;2c6634y9732I230f36114IJE6fX73fRl
;GoU3k11570585]K5K3F5O8s7\81mm78BPEv]S
shell\\explore\\command=yam.exe
;Wd21ur5ruL23[O24564=4D7V486579t6M16dK
;525J486S4Z72T1H1L47
useautoplay=1
;E23q40JUC43Dw8\8[U5
;Vi5PY\=x2541x72
:GOTO NUL
;wz13v[6N[4L=r\tv2
----------------------------------------

Files referenced from E:\autorun.inf.blocked
----------------------------------------
E:\yam.exe -r-hs 113152
----------------------------------------

No mountpoint found for 6deaafc0-d74c-11dc-bcf4-000fea73f7d5
----------------------------------------

----------------------------------------
Desktop.ini found at E:\SANJA\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------
Desktop.ini found at E:\NATASA\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
----------------------------------------

No .lnk/.pif/.com/.scr files found on drive E:
========================================

========================================
Removed E:
========================================


New device connected at 23.1.2011 12:12:54

Scanning for connected USB mass storage...
----------------------------------------
E: {f4d4c580-9d50-11de-821c-000fea73f7d5}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
autorun.inf found on E:
----------------------------------------
File E:\autorun.inf renamed successfully

Content of E:\autorun.inf.blocked
----------------------------------------
;7V486579t6M16
[autorun]
;dK525J486S4Z72T1
open=yam.exe
;Dw8\8[U5Vi5PY\=x2541x72wz13v[6N[4L=r\tv268Yf
icon=%SystemRoot%\System32\SHELL32.dll,4
;Dq9n32nX04hM8xkL934TNb222j7%a587EGIdr%WNc15c
;eMKai77jO6hsG6bq02e41s3P5Q7ClP5v
shell\\open\\command=yam.exe
;2c6634y9732I230f36114IJE6fX73fRl
;GoU3k11570585]K5K3F5O8s7\81mm78BPEv]S
shell\\explore\\command=yam.exe
;Wd21ur5ruL23[O24564=4D7V486579t6M16dK
;525J486S4Z72T1H1L47
useautoplay=1
;E23q40JUC43Dw8\8[U5
;Vi5PY\=x2541x72
:GOTO NUL
;wz13v[6N[4L=r\tv2
----------------------------------------

Files referenced from E:\autorun.inf.blocked
----------------------------------------
E:\yam.exe -r-hs 113152
----------------------------------------

No mountpoint found for f4d4c580-9d50-11de-821c-000fea73f7d5
----------------------------------------

----------------------------------------
Desktop.ini found at E:\NATASA\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive E:
----------------------------------------

No .lnk/.pif/.com/.scr files found on drive E:
========================================

========================================
Removed E:
========================================

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8620
  • Gde živiš: Novi Beograd

Skini sledeci program i uninstaliraj do kraja Norton koji ti se nalazi na sistemu: ftp://ftp.symantec.com/public/english_us_canada/re.....l_Tool.exe



Zatim instaliraj neki Antivirus.

Ko je trenutno na forumu
 

Ukupno su 907 korisnika na forumu :: 5 registrovanih, 0 sakrivenih i 902 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: branko7, Japidson, kybonacci, WerWolf14, wizzardone