Problem sa virusima

1

Problem sa virusima

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Napisano: 28 Okt 2011 11:35

Problem je sledeći, sestra mi ima laptop tri godine, a za svo to vreme nije imala nikakav antivirus, sad ima problema sa virusima, Shocked Wink kada prebaci neke slike ili drugi dokument, često je nevidljiv, ili kada neko ubaci fleš, pa odnese kod sebe, kaže da ima dosta virusa na njemu. Ja sam nabacio privremeno neki NOD, al on ne može da se abdejtuje, verujem da je zbog virusa, pa bih vas zamolio ako može pomoć,
Koristim 3G internet konekciju, neke minimalne brzine oko 512kb.

Evo izveštaj DDS-a

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Sladja at 10:47:41 on 2011-10-28
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.270 [GMT 1:00]
.
AV: ESET Smart Security 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Win\lsass.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Vista Rainbar\Rainmeter.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\mts mobilni internet\mts mobilni internet.exe
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
C:\Program Files\Mozilla Firefox 3 Beta 3\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Vista Rainbar] c:\program files\vista rainbar\Vista Rainbar.exe
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [(Default)] c:\windows\svchost.exe
mRun: [CPQEASYBTTN] c:\windows\system32\BttnServ.exe
mRun: [run32] c:\win\lsass.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: Interfaces\{580FD376-18EF-469A-8F89-E0DA37D566D8} : NameServer = 195.178.38.3 195.178.38.8
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sladja\application data\mozilla\firefox\profiles\xrab5ups.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\sladja\application data\mozilla\firefox\profiles\xrab5ups.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\sladja\application data\mozilla\firefox\profiles\xrab5ups.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko5.dll
FF - component: c:\documents and settings\sladja\application data\mozilla\firefox\profiles\xrab5ups.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko6.dll
FF - plugin: c:\documents and settings\sladja\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 3\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 3 beta 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox 3 beta 3\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox 3 beta 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox 3 beta 3\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox 3 beta 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2011-10-27 100480]
R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008030.006\symefa.sys --> c:\windows\system32\drivers\nis\1008030.006\SYMEFA.SYS [?]
RUnknown EraserUtilRebootDrv;EraserUtilRebootDrv; [x]
S2 fedpq;Windows Manager;c:\windows\system32\svchost.exe -k netsvcs [2002-12-31 14336]
S3 aulyi;aulyi;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 bhwth;bhwth;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 bourysmx;bourysmx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 chlibgh;chlibgh;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 dmwgpaw;dmwgpaw;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 ehcmvx;ehcmvx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 emosfcy;emosfcy;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 eulbijjq;eulbijjq;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 gkfzqbxru;gkfzqbxru;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 gpbgalptw;gpbgalptw;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 gtvbpyo;gtvbpyo;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-24 133104]
S3 gvsgtkuz;gvsgtkuz;\??\c:\windows\system32\02b9.tmp --> c:\windows\system32\02B9.tmp [?]
S3 gxkpn;gxkpn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 hoidusnxi;hoidusnxi;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 hsqfp;hsqfp;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 htkwv;htkwv;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 hzamodurx;hzamodurx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 ieskei;ieskei;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 isibjyn;isibjyn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 jmpjsg;jmpjsg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 jxsorvrth;jxsorvrth;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 kgbyeql;kgbyeql;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 leelv;leelv;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 lfqhzl;lfqhzl;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 mcnxbeh;mcnxbeh;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 mrdckja;mrdckja;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 mwogt;mwogt;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 oiinag;oiinag;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 oxwkm;oxwkm;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 pekkhndti;pekkhndti;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 pyjfxj;pyjfxj;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 qtebrpert;qtebrpert;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 quzrptzvz;quzrptzvz;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 qvrfb;qvrfb;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 sintrbobf;sintrbobf;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 vwcpog;vwcpog;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wdhpcxn;wdhpcxn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wocbet;wocbet;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wwmjyt;wwmjyt;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wxbubuh;wxbubuh;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wzigjlm;wzigjlm;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 xufyavyl;xufyavyl;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 yobdj;yobdj;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zcasmmlnw;zcasmmlnw;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zluihi;zluihi;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zvcidf;zvcidf;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
.
=============== Created Last 30 ================
.
2011-10-27 22:14:22 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2011-10-27 22:05:35 -------- d-----w- c:\documents and settings\sladja\application data\ESET
2011-10-27 19:42:09 -------- d-----w- c:\documents and settings\sladja\local settings\application data\ESET
2011-10-27 19:40:30 -------- d-----w- c:\program files\ESET
2011-10-27 17:54:45 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-27 17:54:45 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-27 17:54:45 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-27 17:54:45 100480 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-27 17:54:29 -------- d-----w- c:\program files\mts mobilni internet
2011-10-09 12:47:14 -------- d-----w- c:\documents and settings\sladja\local settings\application data\Identities
.
==================== Find3M ====================
.
.
============= FINISH: 10:48:19,75 ===============


mycity.rs/must-login.png

Tu su i Gmerovi, nakon prvog skeniranja pisala je sledeća porukica:
"GMER has found system modification caused by ROOTKIT activity"

mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

Unapred hvala!

Dopuna: 28 Okt 2011 23:16

Samo da dodam da komp ne koči.

offline
  • Més que un club
  • Glavni vokal @ Harpun
  • Pridružio: 27 Feb 2009
  • Poruke: 3898
  • Gde živiš: Novi Sad,Klisa

Pozdrav draganela


U toku resavanja slucaja, zamolio bih te da se pridrzavas sledeceg:
Detaljno citati moja uputstva ( ili uputstva kolega koji ce me zamenjivati) i raditi iskljucivo po njima;
Ne traziti istovremeno pomoc na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uredjaje, dok to ne budem zatrazio;
Ukoliko ne odgovorim u roku od 48h, osvezi temu novim post-om;
Ukoliko se ne javis u roku od 5 dana, zatvoricemo slucaj.

Za vise informacija o pravilima Ambulante MyCity foruma: LINK

-------------------------------------------------------------------------------------




Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix;
u prozoru koji se otvori klikni "I Agree".

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.



NIx Car (AMF Tim)

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Šaljem log od ComboFix-a

Samo da napomenem, isključio sam NOD na početku, ali kad se komp restartovao, sam se ponovo uključio.

ComboFix 11-10-29.03 - Sladja 29.10.2011 11:15:59.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.401 [GMT 1:00]
Running from: c:\documents and settings\Sladja\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))
.
.
2011-10-27 22:14 . 2008-01-07 13:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2011-10-27 22:05 . 2011-10-27 22:05 -------- d-----w- c:\documents and settings\Sladja\Application Data\ESET
2011-10-27 20:11 . 2011-10-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-10-27 19:42 . 2011-10-27 22:28 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\program files\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-10-27 17:54 . 2009-08-19 10:47 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-27 17:54 . 2009-08-19 10:47 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-27 17:54 . 2009-08-19 10:47 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-27 17:54 . 2009-08-19 10:47 100480 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-27 17:54 . 2011-10-27 17:55 -------- d-----w- c:\program files\mts mobilni internet
2011-10-09 12:47 . 2011-10-09 12:47 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-10-29_10.06.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-29 10:23 . 2011-10-29 10:23 16384 c:\windows\Temp\Perflib_Perfdata_884.dat
+ 2011-10-29 10:22 . 2011-10-29 10:22 16384 c:\windows\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vista Rainbar"="c:\program files\Vista Rainbar\Vista Rainbar.exe" [2009-08-26 47033]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-10-28 30192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9058:TCP"= 9058:TCP:vrfgae
.
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
S2 fedpq;Windows Manager;c:\windows\system32\svchost.exe -k netsvcs [31.12.2002 13:00 14336]
S3 aulyi;aulyi;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 bhwth;bhwth;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 bourysmx;bourysmx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 chlibgh;chlibgh;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 dmwgpaw;dmwgpaw;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 ehcmvx;ehcmvx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 emosfcy;emosfcy;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 eulbijjq;eulbijjq;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 gkfzqbxru;gkfzqbxru;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28.10.2011 21:00 30192]
S3 gpbgalptw;gpbgalptw;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 gtvbpyo;gtvbpyo;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24.5.2010 15:13 133104]
S3 gvsgtkuz;gvsgtkuz;\??\c:\windows\system32\02B9.tmp --> c:\windows\system32\02B9.tmp [?]
S3 gxkpn;gxkpn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 hoidusnxi;hoidusnxi;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 hsqfp;hsqfp;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 htkwv;htkwv;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [27.10.2011 18:54 100480]
S3 hzamodurx;hzamodurx;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 ieskei;ieskei;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 isibjyn;isibjyn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 jmpjsg;jmpjsg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 jxsorvrth;jxsorvrth;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 kgbyeql;kgbyeql;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 leelv;leelv;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 lfqhzl;lfqhzl;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 mcnxbeh;mcnxbeh;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 mrdckja;mrdckja;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 mwogt;mwogt;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 oiinag;oiinag;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 oxwkm;oxwkm;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 pekkhndti;pekkhndti;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 pyjfxj;pyjfxj;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 qtebrpert;qtebrpert;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 quzrptzvz;quzrptzvz;\??\c:\windows\system32\04.tmp --> c:\windows\system32\04.tmp [?]
S3 qvrfb;qvrfb;\??\c:\windows\system32\03.tmp --> c:\windows\system32\03.tmp [?]
S3 sintrbobf;sintrbobf;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 vwcpog;vwcpog;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wdhpcxn;wdhpcxn;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wocbet;wocbet;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wwmjyt;wwmjyt;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wxbubuh;wxbubuh;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 wzigjlm;wzigjlm;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 xufyavyl;xufyavyl;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 yobdj;yobdj;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zcasmmlnw;zcasmmlnw;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zluihi;zluihi;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 zvcidf;zvcidf;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fedpq
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sladja\Application Data\Mozilla\Firefox\Profiles\xrab5ups.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-10-29 11:22
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aulyi]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bhwth]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bourysmx]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\chlibgh]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmwgpaw]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehcmvx]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\emosfcy]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eulbijjq]
"ImagePath"="\??\c:\windows\system32\03.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gkfzqbxru]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gpbgalptw]
"ImagePath"="\??\c:\windows\system32\03.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gtvbpyo]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gvsgtkuz]
"ImagePath"="\??\c:\windows\system32\02B9.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxkpn]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hoidusnxi]
"ImagePath"="\??\c:\windows\system32\03.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hsqfp]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\htkwv]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hzamodurx]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ieskei]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isibjyn]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jmpjsg]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jxsorvrth]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kgbyeql]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\leelv]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lfqhzl]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mcnxbeh]
"ImagePath"="\??\c:\windows\system32\03.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mrdckja]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mwogt]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oiinag]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oxwkm]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pekkhndti]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pyjfxj]
"ImagePath"="\??\c:\windows\system32\04.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qtebrpert]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\quzrptzvz]
"ImagePath"="\??\c:\windows\system32\04.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qvrfb]
"ImagePath"="\??\c:\windows\system32\03.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sintrbobf]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vwcpog]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdhpcxn]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wocbet]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wwmjyt]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wxbubuh]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wzigjlm]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xufyavyl]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yobdj]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zcasmmlnw]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zluihi]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zvcidf]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fedpq]
"ServiceDll"="c:\windows\system32\qjvgct.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1148-)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Vista Rainbar\Rainmeter.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-10-29 11:25:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-29 10:25
.
Pre-Run: 41.981.722.624 bytes free
Post-Run: 41.968.431.104 bytes free
.
- - End Of File - - D23D34EC1B92658D168A821D12AA7DEB

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Samo da javim da čekam dalja uputstva, ništa nisam radio. Smile

offline
  • Més que un club
  • Glavni vokal @ Harpun
  • Pridružio: 27 Feb 2009
  • Poruke: 3898
  • Gde živiš: Novi Sad,Klisa

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\02.tmp
c:\windows\system32\03.tmp
c:\windows\system32\02B9.tmp
c:\windows\system32\04.tmp
c:\windows\system32\qjvgct.dll

Driver::
aulyi
bhwth
bourysmx
chlibgh
dmwgpaw
ehcmvx
emosfcy
eulbijjq
gkfzqbxru
gpbgalptw
gtvbpyo
gvsgtkuz
gxkpn
hoidusnxi
hsqfp
htkwv
hzamodurx
ieskei
isibjyn
jmpjsg
jxsorvrth
kgbyeql
leelv
lfqhzl
mcnxbeh
mrdckja
mwogt
oiinag
oxwkm
pekkhndti
pyjfxj
qtebrpert
quzrptzvz
qvrfb
sintrbobf
vwcpog
wdhpcxn
wocbet
wwmjyt
wxbubuh
wzigjlm
xufyavyl
yobdj
zcasmmlnw
zluihi
zvcidf

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9058:TCP"=-

NetSvc::
fedpq


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

Prvi put sam ovo odradio a bio mi uključen NOD, pa sam ponovio još jednom sa isključenim, nadam se da nisam nešto zbrljao. Wink
Evo okačiću oba izveštaja, prvi ovako, a drugi (sa ugašenim nodom) u atachmentu:

ComboFix 11-10-29.03 - Sladja 30.10.2011 16:28:06.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.400 [GMT 0:00]
Running from: c:\documents and settings\Sladja\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sladja\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *Enabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
.
FILE ::
"c:\windows\system32\02.tmp"
"c:\windows\system32\02B9.tmp"
"c:\windows\system32\03.tmp"
"c:\windows\system32\04.tmp"
"c:\windows\system32\qjvgct.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\qjvgct.dll
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_aulyi
-------\Service_bhwth
-------\Service_bourysmx
-------\Service_chlibgh
-------\Service_dmwgpaw
-------\Service_ehcmvx
-------\Service_emosfcy
-------\Service_eulbijjq
-------\Service_gkfzqbxru
-------\Service_gpbgalptw
-------\Service_gtvbpyo
-------\Service_gvsgtkuz
-------\Service_gxkpn
-------\Service_hoidusnxi
-------\Service_hsqfp
-------\Service_htkwv
-------\Service_hzamodurx
-------\Service_ieskei
-------\Service_isibjyn
-------\Service_jmpjsg
-------\Service_jxsorvrth
-------\Service_kgbyeql
-------\Service_leelv
-------\Service_lfqhzl
-------\Service_mcnxbeh
-------\Service_mrdckja
-------\Service_mwogt
-------\Service_oiinag
-------\Service_oxwkm
-------\Service_pekkhndti
-------\Service_pyjfxj
-------\Service_qtebrpert
-------\Service_quzrptzvz
-------\Service_qvrfb
-------\Service_sintrbobf
-------\Service_vwcpog
-------\Service_wdhpcxn
-------\Service_wocbet
-------\Service_wwmjyt
-------\Service_wxbubuh
-------\Service_wzigjlm
-------\Service_xufyavyl
-------\Service_yobdj
-------\Service_zcasmmlnw
-------\Service_zluihi
-------\Service_zvcidf
-------\Legacy_fedpq
-------\Service_fedpq
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-30 )))))))))))))))))))))))))))))))
.
.
2011-10-27 22:14 . 2008-01-07 13:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2011-10-27 22:05 . 2011-10-27 22:05 -------- d-----w- c:\documents and settings\Sladja\Application Data\ESET
2011-10-27 20:11 . 2011-10-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-10-27 19:42 . 2011-10-27 22:28 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\program files\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-10-27 17:54 . 2009-08-19 10:47 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-27 17:54 . 2009-08-19 10:47 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-27 17:54 . 2009-08-19 10:47 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-27 17:54 . 2009-08-19 10:47 100480 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-27 17:54 . 2011-10-27 17:55 -------- d-----w- c:\program files\mts mobilni internet
2011-10-09 12:47 . 2011-10-09 12:47 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-10-29_10.06.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-30 16:36 . 2011-10-30 16:36 16384 c:\windows\Temp\Perflib_Perfdata_848.dat
- 2011-10-29 10:06 . 2011-10-29 10:06 16384 c:\windows\Temp\Perflib_Perfdata_57c.dat
+ 2011-10-30 16:36 . 2011-10-30 16:36 16384 c:\windows\Temp\Perflib_Perfdata_57c.dat
+ 2002-12-31 12:00 . 2011-10-30 06:52 54460 c:\windows\system32\perfc009.dat
- 2002-12-31 12:00 . 2011-10-29 09:19 54460 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-10-30 06:52 384464 c:\windows\system32\perfh009.dat
- 2002-12-31 12:00 . 2011-10-29 09:19 384464 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vista Rainbar"="c:\program files\Vista Rainbar\Vista Rainbar.exe" [2009-08-26 47033]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-10-28 30192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 7:21 468224]
S2 fedpq;Windows Manager;c:\windows\system32\svchost.exe -k netsvcs [31.12.2002 12:00 14336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28.10.2011 20:00 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24.5.2010 14:13 133104]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [27.10.2011 17:54 100480]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
2011-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sladja\Application Data\Mozilla\Firefox\Profiles\xrab5ups.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-10-30 16:36
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fedpq]
"ServiceDll"="c:\windows\system32\qjvgct.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1144)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Vista Rainbar\Rainmeter.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-10-30 16:39:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-30 16:39
ComboFix2.txt 2011-10-29 10:26
.
Pre-Run: 42.018.295.808 bytes free
Post-Run: 42.016.313.344 bytes free
.
- - End Of File - - 4C315262E51E0D7C1A214C5EEC93D5EC

Ovo je drugi put:



mycity.rs/must-login.png

offline
  • Més que un club
  • Glavni vokal @ Harpun
  • Pridružio: 27 Feb 2009
  • Poruke: 3898
  • Gde živiš: Novi Sad,Klisa

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\qjvgct.dll

Driver::
fedpq

netsvc::
fedpq


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.


NIx Car (AMF Tim)

offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

ComboFix 11-10-29.03 - Sladja 31.10.2011 23:04:40.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.411 [GMT 0:00]
Running from: c:\documents and settings\Sladja\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sladja\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
FILE ::
"c:\windows\system32\qjvgct.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_FEDPQ
-------\Service_fedpq
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-27 22:14 . 2008-01-07 13:29 352 ---ha-w- c:\windows\nod32fixtemdono.reg
2011-10-27 22:05 . 2011-10-27 22:05 -------- d-----w- c:\documents and settings\Sladja\Application Data\ESET
2011-10-27 20:11 . 2011-10-27 20:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-10-27 19:42 . 2011-10-27 22:28 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\program files\ESET
2011-10-27 19:40 . 2011-10-27 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-10-27 17:54 . 2009-08-19 10:47 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-10-27 17:54 . 2009-08-19 10:47 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-10-27 17:54 . 2009-08-19 10:47 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-10-27 17:54 . 2009-08-19 10:47 100480 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-10-27 17:54 . 2011-10-27 17:55 -------- d-----w- c:\program files\mts mobilni internet
2011-10-09 12:47 . 2011-10-09 12:47 -------- d-----w- c:\documents and settings\Sladja\Local Settings\Application Data\Identities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2002-12-31 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-10-29_10.06.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-31 23:12 . 2011-10-31 23:12 16384 c:\windows\Temp\Perflib_Perfdata_9e4.dat
+ 2011-10-31 23:11 . 2011-10-31 23:11 16384 c:\windows\Temp\Perflib_Perfdata_574.dat
+ 2002-12-31 12:00 . 2011-10-31 15:30 54460 c:\windows\system32\perfc009.dat
- 2002-12-31 12:00 . 2011-10-29 09:19 54460 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-10-31 15:30 384464 c:\windows\system32\perfh009.dat
- 2002-12-31 12:00 . 2011-10-29 09:19 384464 c:\windows\system32\perfh009.dat
+ 2009-12-15 21:24 . 2011-10-05 10:09 48324552 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vista Rainbar"="c:\program files\Vista Rainbar\Vista Rainbar.exe" [2009-08-26 47033]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-10-28 30192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 7:21 468224]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [28.10.2011 20:00 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24.5.2010 14:13 133104]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [27.10.2011 17:54 100480]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
2011-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-24 14:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sladja\Application Data\Mozilla\Firefox\Profiles\xrab5ups.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox 3 Beta 3\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2011-10-31 23:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1664)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Vista Rainbar\Rainmeter.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-10-31 23:15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 23:15
ComboFix2.txt 2011-10-30 17:05
ComboFix3.txt 2011-10-30 16:39
ComboFix4.txt 2011-10-29 10:26
.
Pre-Run: 41.932.615.680 bytes free
Post-Run: 41.920.520.192 bytes free
.
- - End Of File - - CE2FBC35173500C2A3C28F9995EEAF6B

offline
  • Més que un club
  • Glavni vokal @ Harpun
  • Pridružio: 27 Feb 2009
  • Poruke: 3898
  • Gde živiš: Novi Sad,Klisa

U novom logu nema znakova infekcije. No jos par stvari moras uraditi:



Arrow Korak 1


Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

ComboFix /Uninstall

Primeti da postoji razmak između "ComboFix" i "/Uninstall".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.

---------------------------------------------------------------------------





Arrow
Korak 2


- Preporucujem ti da instaliras Service Pack 3 za Windows XP tj. update-ujes svoj Operativni Sistem. Necu govoriti o njegovim prednostima u odnosu na Service Pack 2. Te informacije mozes naci na MS-ovom sajtu. Uglavnom, MS je 13.jula 2010 prekinuo podrsku za Service Pack 2 koji je instaliran na tvom racunaru.

Sta to znaci? Pogledaj link: http://windows.microsoft.com/en-US/windows/help/what-does-end-of-support-mean;

**** Ukoliko se odlucis na ovaj korak (instaliranje SP3), preporucujem ti da prethodno uradis backup svih bitnih podataka.
--------------------------------------------------------------------------------------



Arrow Korak 3

- Preporucujem da za zastitu USB memorijskih uredjaja koristis MCShield. Nema nikakve veze sa AntiVirus-om tj. nece ometati njegov rad a pokazao se kao jedan od najboljih vida zastite od malware-a koji se prenosi putem USB mem. uredjaja.

Skines, instaliras, ubodes USB mem. uredjaj, izvrsi se skeniranje nakon cega dobijes obavestenje da je uredjaj cist (ukoliko je stvarno tako); ili dobijes log u kome vidis informacije o malware-u koji je nadjen i obrisan.


Home Page MCShield-a: http://amf.mycity.rs/programs/mc/mcshield/

Vise o MCShield-u mozes saznati u ovoj temi: http://www.mycity.rs/Antispyware-programi/MCShield.html



----------------------------------------------------------------------------------



Takodje,u logovima sam primetio da koristis krekovanu verziju popularnog anti virusa NOD32. Ukoliko nemas para da kupis licencu,moj ti je savet da predjes na neki drugi anti virus koji je besplatan (avast,avira,MSE,Panda cloud ili neki drugi).

Napomena: dva anti virusa istovremeno nije preporucljivo instalirati zato sto oni dovode do nestabilnog rada tvog operativnog sistema.



offline
  • Dragan Đurašinović
  • Pridružio: 20 Dec 2008
  • Poruke: 82

OK, hvala puno i na savetima i na pomoći, ni ja ne primećujem da ima više virusa, flešom sam prebacivao nešto na moj komp i nije primetio nikakav virus. Hteo sam još samo da pitam, kada palim komp traži mi da da pritisnem bilo koju tipku da bi on nastavio sa podizanjem sistema, jer kaže u saopštenju da ne može da prepozna bateriju, nije to neki problem, al reko da pitam može li se možda nekako napraviti da upali bez pritiskanja bilo kakve tipke? I još imam neki iskačući prozor za dial up konekciju, koji jako često iskače i strašno nervira, pa kako to da uklonim? Hvala još jednom i pozdrav!

Ko je trenutno na forumu
 

Ukupno su 968 korisnika na forumu :: 31 registrovanih, 5 sakrivenih i 932 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: dankisha, darkojbn, doom83, draganca, elenemste, Georgius, hyla, kikisp, Koja79, kolle.the.kid, kuntalo, kybonacci, Milos ZA, milos.cbr, milutin134, mnn2, pedja.st, Petrus, Primus17, Regrut Boskica, sabros, stankolich, Tvrtko I, User98, vathra, vladaa012, voja64, wizzardone, wolf431, YugoSlav, Zoca