Neki dialeri i čuda

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

Pre dva dana je počeo NOD da mi prijavljuje neke viruse, dialere, trojance, podivljali su mi i messengeri pa mi izbacuju neke linkove. Skype mi stalno nudi da skinem gole slike moje mame. Yahoo messenger mi je od svih kontakata poslao isti link, da vidim svoje gole slike... I tako.

Ja sam pročešljao komp svime šta imam instalirano: CCleaner, TuneUp, SpyBot, Ad-Aware i NOD 32. Našlo se par sitnica, valjda 4 neka maliciozna fajla koje sam obrisao. Ali i dalje mi izbacuje nešto NOD, pa evo slike prozorčića:







A evo i log fajla:

https://www.mycity.rs/must-login.png

Molim vas za pomoć.

I da, dok sam kucao ovo, opet je izbacio prozore, ali sada su drugi brojevi u pitanju. Ono na slikama što je 702.exe, sad je 2.exe izbacio... Izgleda se brojevi menjaju...


Logfile of HijackThis v1.99.1
Scan saved at 17:02:15, on 20.1.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\VMSnap23.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\SafeSignCertReg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Install\MAGICM~1\Magic.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\ApexDC++_Gusari_XY6\ApexDC.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\075.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\361.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\232.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\380.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\485.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\240.exe
C:\DOCUME~1\IVANPE~1\LOCALS~1\Temp\579.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Opera\opera.exe
C:\Program Files\totalcmd\TC PowerPack\totalcmd_.exe
C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe
D:\Install\HJT\H3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medfax.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [BigDogPath323VMSnap] C:\WINDOWS\VMSnap23.exe
O4 - HKLM\..\Run: [BigDogPath323Domino] C:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [CertificateRegistration] SafeSignCertReg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Windows Service help] C:\RECYCLER\S-1-5-21-3117105925-7748888398-658117204-9010\winservices.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V.....4481138734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zdravo,

* Otvori Nod32 Control Center (Klik na njegovu tray ikonicu ( ) u donjem desnom uglu ekrana).
* Izaberi AMON iz Threat Protection grupe opcija.
* Na desnom panelu deštikliraj opciju File system monitor (AMON) enabled.
* Gašenje ove opcije pokazaće se kroz promenu boje Control Center-a iz zelene u crvenu.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


------------------------

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok, skenirao sam sa NOD-om opet kako si reko, isključio sam AMON. Ništa nije našao... Onda sam pokrenuo ComboFix i odmah mi je restartovao komp. Onda je izbacio tri prozora Error u kojima ništa nije pisalo, samo sam kliknuo OK... Onda sam ga opet pokrenuo i pogasio sve zaštite koje imam. Nešto je brisao Cache i radio uglavnom nešto i opet restartovao komp. E onda kaže, nemoj paliti druge programe dok on ne završi. I tu mi NOD opet izbaci prozor da je našao neki virus, opet 2.exe. I krenu programi iz start up-a da se dižu, to nisam mogao da sprečim... Anyway, evo log fajla koje je generisao ComboFix:

ComboFix 09-01-19.05 - Ivan Pear 2009-01-20 18:31:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1539 [GMT 1:00]
Running from: c:\documents and settings\Ivan Pear\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
FW: Outpost Firewall Pro *disabled*
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Agnitum\Outpost Firewall\wl_hook.dll
c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VFILT
-------\Service_VFILT


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 17:36 --------- d-----w c:\documents and settings\Ivan Pear\Application Data\Skype
2009-01-20 17:23 --------- d-----w c:\documents and settings\Ivan Pear\Application Data\skypePM
2009-01-20 01:49 --------- d-----w c:\program files\CCleaner
2009-01-20 01:49 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 19:27 --------- d-----w c:\program files\QuickTime
2008-12-17 19:26 --------- d-----w c:\program files\Common Files\Apple
2008-12-17 19:26 --------- d-----w c:\program files\Apple Software Update
2008-12-17 19:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-17 19:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-17 19:12 --------- d-----w c:\documents and settings\Ivan Pear\Application Data\Apple Computer
2008-12-16 21:14 --------- d-----w c:\program files\Opera
2008-12-12 23:33 --------- d-----w c:\program files\MessengerDiscovery
2008-12-11 03:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-10 01:55 --------- d-----w c:\program files\Common Files\Skype
2008-12-04 16:29 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-27 13:59 --------- d-----w c:\program files\K-Lite Codec Pack
2008-11-25 03:08 --------- d-----w c:\documents and settings\Ivan Pear\Application Data\uTorrent
2008-11-11 22:00 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-11-02 14:02 7,680 ----a-w c:\windows\system32\ff_vfw.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll
2008-10-23 16:18 306,432 ----a-w c:\windows\system32\TuneUpDefragService.exe
2007-11-30 15:36 22,328 ----a-w c:\documents and settings\Ivan Pear\Application Data\PnkBstrK.sys
2006-06-23 22:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2008-11-05 4347120]
"Windows Service help"="c:\recycler\S-1-5-21-3117105925-7748888398-658117204-9010\winservices.exe" [2009-01-18 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\windows\TBPanel.exe" [2007-06-26 2173480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-23 81920]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"BigDogPath323VMSnap"="c:\windows\VMSnap23.exe" [2006-09-19 212992]
"BigDogPath323Domino"="c:\windows\Domino.exe" [2006-06-28 49152]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-24 917504]
"Outpost Firewall"="c:\program files\Agnitum\Outpost Firewall\outpost.exe" [2006-10-20 94720]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2006-10-30 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2007-07-23 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]
"CertificateRegistration"="SafeSignCertReg.exe" [2004-02-17 c:\windows\system32\SafeSignCertReg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Ivan Pear\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SandBox;Outpost Firewall Sandbox Driver;c:\program files\Agnitum\Outpost Firewall\Kernel\SandBox.sys [2008-01-24 256296]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-11-07 38656]
R3 TodosAgmII;Driver for Todos Argosmini II USB;c:\windows\system32\drivers\AgmIIusb.sys [2008-03-19 22016]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
R3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys [2007-11-07 476672]
R3 ZSMC326;VIMICRO USB2.0 PC Camera(VC0323);c:\windows\system32\drivers\usbvm323.sys [2007-11-07 260096]
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\adblock.dll [2008-01-24 33568]
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\arp.dll [2008-01-24 17408]
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\content.dll [2008-01-24 4896]
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\dnscache.dll [2008-01-24 14464]
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\ftpfilt.dll [2008-01-24 9248]
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\htmlfilt.dll [2008-01-24 11552]
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\httpfilt.dll [2008-01-24 13216]
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\imapfilt.dll [2008-01-24 7168]
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\mailfilt.dll [2008-01-24 14880]
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\nntpfilt.dll [2008-01-24 6752]
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\pop3filt.dll [2008-01-24 10048]
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\protect.dll [2008-01-24 15200]
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);c:\program files\Agnitum\Outpost Firewall\Kernel\secret.dll [2008-01-24 12928]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2007-11-07 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c06ee3-96d3-11dc-a3eb-001d6093bdd7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde930dc-2116-11dd-a4c3-001d6093bdd7}]
\Shell\AutoRun\command - L:\
\Shell\open\Command - rundll32.exe .\\msatsspc.dll,InstallM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef1b193e-8296-11dd-a52b-001d6093bdd7}]
\Shell\Auto\command - L:\activexdebugger32.exe f
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - L:\activexdebugger32.exe f
\Shell\open\Command - L:\activexdebugger32.exe f
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 14:17]

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.medfax.org/
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: imon.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 18:35:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-688789844-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c8,69,20,b1,14,a8,81,6b,59,b4,a5,17,b8,ef,b7,42,7d,82,fa,ac,9b,1b,cf,
7b,d6,f6,f5,60,bd,e4,40,7f,da,d1,ca,71,02,b9,0b,cb,06,30,0b,26,4a,47,14,06,\
"??"=hex:c9,32,d9,29,9c,8e,85,25,e8,29,7b,36,24,6d,08,bf
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888-)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\Messenger\YahooMessenger.exe
c:\program files\MessengerDiscovery\MessengerDiscovery Live.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\totalcmd\TC PowerPack\TCPowerPack.exe
c:\program files\totalcmd\TC PowerPack\Totalcmd.exe
c:\program files\totalcmd\TC PowerPack\Totalcmd_.exe
.
**************************************************************************
.
Completion time: 2009-01-20 18:37:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 17:37:52

Pre-Run: 19.802.116.096 bytes free
Post-Run: 19,706,535,936 bytes free

214

P.S.: Ako si mi pokvario kompjuter kupićeš mi nov!

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Panonian ::
P.S.: Ako si mi pokvario kompjuter kupićeš mi nov!

Hahah, znas kako kazu u Muckama "Nema novca natrag, nema garancije".


btw. Ugasio si FW, Nod je radio.

Aj, probaj ponovo. Ugasi Nod pa skeniraj ComboFixom.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

I meni je izbacio da je NOD uključen, a ugasio sam ga! Ono, desni klik na ikonu u Tray-u pa Quit... A on kaže "radi ti NOD". E sad ti njega ubedi da sam ga isključio... Aj pokušaću opet, makar da ga ubijem u procesima, ne znam stvarno šta mu je.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Imas gore uputstvo kako se gasi NOD32, molim te da ga ispostujes.
Ne gasi se NOD tako kako si ti ucinio. Ti si ugasio samo graficki interfejs, a ne i sam engine.

Ako ti budemo pokvarili komp, to ce biti zato sto ti ne sledis uputstva, a ne nasom krivicom.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvori sledeci fajl u Notepadu, i iskopiraj mi sadrzaj ovde:

C:\Qoobox\ComboFix-quarantined-files.txt

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

@helen1:

2008-01-24 21:17:27 A------- 322,560 C:\Qoobox\Quarantine\C\Program Files\Agnitum\Outpost Firewall\wl_hook.dll.vir
2009-01-20 18:20:28 A------- 556 C:\Qoobox\Quarantine\catchme.log
2009-01-20 18:20:51 A------- 144,023 C:\Qoobox\Quarantine\C\Program Files\Agnitum\Outpost Firewall\_wl_hook_.dll.zip
2009-01-20 18:32:16 A------- 10,704 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-20 18:32:22 A------- 1,398 C:\Qoobox\Quarantine\Registry_backups\Legacy_VFILT.reg.dat
2009-01-20 18:33:03 A------- 156,650 C:\Qoobox\Quarantine\Registry_backups\Service_VFILT.reg.dat
2009-01-20 20:30:19 A------- 182 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Windows Service help.reg.dat

@bobby: Šalio sam se za kvarenje kompa... Nemoj odmah da se ljutiš. Pregledao sam sve teme koje su obeležene kao važne, pregledao sam podforum Uputstva i Googlao. Nikako nisam uspeo da nađem upustvo da isključim NOD. Nisam našao ono uputstvo "gore"... Na Google sam našao da ga isključim u msconfig, ali ni to nije pomoglo, opet je pokazao ComboFix da radi NOD. Pokušao sam da ga ubijem u procesima, ali se iznova pojavljuje... Ne znam kako da ugasim NOD, pa ako nije problem, da mi date link ili kratko kažete šta da uradim...

Sada mi ne izbacuje NOD više one prozore, ali skype je uporan i pojavljuje se nekoliko prozorčića odjednom da skinem slike moje gole mame!!! Užas...

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

U poruci u kojoj ti je helen1 napisao da skines i pustis ComboFix, u istoj poruci ti prvo pise kako se iskljucuje NOD32.

I naravno da se ne ljutim

Izvinjavam se kolegi za offtopic u njegovoj temi.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Iskljuci NOD i uradi sledece:


Otvoriti Notepad i iskopirati sledeci tekst:

DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files\Agnitum\Outpost Firewall\_wl_hook_.dll.zip

File::
c:\recycler\S-1-5-21-3117105925-7748888398-658117204-9010\winservices.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c06ee3-96d3-11dc-a3eb-001d6093bdd7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde930dc-2116-11dd-a4c3-001d6093bdd7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef1b193e-8296-11dd-a52b-001d6093bdd7}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Service help"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.