|
[ vana077 @ 23.08.2009. 19:57 ] @
[ Dashkes @ 23.08.2009. 20:20 ] @
Bilo bi bolje ako mozete da pokazete HijackThis log.
Kada ga preuzmete, preimenujte fajl u bilo sta, npr. “destruct0.exe”. Pokrenite ga i kliknite “Do a system scan and save a logfile”. Taj log iskopirajte ovde. [ vana077 @ 23.08.2009. 20:50 ] @
Skenirala i to izgleda ovako:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:46:18, on 23.8.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\GameFace Messenger\GameFace.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\Mixer.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\uTorrent\uTorrent.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbar...13925&gct=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbar...13925&gct=&gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbar...925&gct=&gc=1&q=%s R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll R3 - URLSearchHook: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: D - {8A92290F-B93D-353A-A61F-C6248CB06607} - C:\WINDOWS\system32\xwr74862.dll O2 - BHO: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [TQ566808] "F:\setup.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html O8 - Extra context menu item: &Search - ?p=ZJxdm411YYRS O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/edia...nstall/HPProductDetection2.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A47073BA-E1CD-4EF9-B9E2-A6DD58D30A33}: NameServer = 10.10.10.51,10.10.10.52 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/html - {ebb149d4-7716-4ce1-ad89-98a83d7ed15a} - C:\WINDOWS\mark_32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: ?????? Google Update (gupdate1ca0fa4ddc87cbc) (gupdate1ca0fa4ddc87cbc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 12409 bytes [ Dashkes @ 23.08.2009. 20:57 ] @
Stiklirajte sledece objekte i kliknite “Fix checked”
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbar...13925&gct=&gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbar...13925&gct=&gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbar...925&gct=&gc=1&q=%s O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: D - {8A92290F-B93D-353A-A61F-C6248CB06607} - C:\WINDOWS\system32\xwr74862.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O8 - Extra context menu item: &Search - ?p=ZJxdm411YYRS O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/edia...nstall/HPProductDetection2.cab O18 - Filter hijack: text/html - {ebb149d4-7716-4ce1-ad89-98a83d7ed15a} - C:\WINDOWS\mark_32.dll O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe Ako ovo nije vase onda izbrisite O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe Ako mozete fajlove C:\WINDOWS\system32\xwr74862.dll C:\WINDOWS\mark_32.dll C:\Program Files\GameFace Messenger\GameFace.exe da zapakujete u ".rar"/".zip" sa password-om "virus", upload-ujete na Rapidshare i posaljete mi link preko PP. [ vana077 @ 23.08.2009. 21:13 ] @
Fajlovi koje ste mi objasnili da ih zapakujem i uploadujem na rapidshare ne postoje u sistemu, ali ima jedan slican:
system32\xwr42648.dll GameFace je od Assusove graficke karte, instaliran je zajedno sa driverom od graficke. Hocete da ipak posaljem GameFace? I inace, kad sam restartovala racunar, ponovo se u procesima pojavio IEEXPLORE.EXE, ali samo jedan, sto za mene znaci napredak :) [ Dashkes @ 23.08.2009. 21:16 ] @
[ vana077 @ 23.08.2009. 21:31 ] @
Naravno da moze :)
Evo novog loga: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:29:10, on 23.8.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\GameFace Messenger\GameFace.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\Mixer.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll R3 - URLSearchHook: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O3 - Toolbar: The Pirate Bay Toolbar - {a33fa729-d155-4b23-842b-2c665ecabdb6} - C:\Program Files\The_Pirate_Bay\tbThe1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [TQ566808] "F:\setup.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/edia...nstall/HPProductDetection2.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A47073BA-E1CD-4EF9-B9E2-A6DD58D30A33}: NameServer = 10.10.10.51,10.10.10.52 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/html - {ebb149d4-7716-4ce1-ad89-98a83d7ed15a} - C:\WINDOWS\mark_32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: ?????? Google Update (gupdate1ca0fa4ddc87cbc) (gupdate1ca0fa4ddc87cbc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 11450 bytes za koji minut cu spakovati onaj .dll i dici ga na rapid [ Dashkes @ 23.08.2009. 21:38 ] @
Stiklirajte sledeci objekat i kliknite “Fix checked”
O18 - Filter hijack: text/html - {ebb149d4-7716-4ce1-ad89-98a83d7ed15a} - C:\WINDOWS\mark_32.dll Preuzmite program Dr.Web CureIt!. • Posle preuzimanja restartujte racunar u Safe Mode-u (dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode). • Kada se ucita Safe Mode pokrenite Dr.Web CureIt!. • Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira (to je Express Scan). • Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning (izgleda kao Play dugme). Moram da vas upozorim da kompletno skeniranje moze da potraje nekoliko sati! Pokazite log (zapakujte u ".rar" arhivu i upload-ujte) CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\ P.S. Moze i samo skeniranje foldera Documents and Settings i WINDOWS. [ vana077 @ 23.08.2009. 21:44 ] @
Nekoliko sati!!!
Ali ako je za mog ljubimca, ni to nije mnogo... Onda cu vam sutra dostaviti rezultate, jer bih stavila da skenira nocas kad pozavrsavam sve obaveze preko racunara. Hvala na pomoci i dokucavamo se sutra [ Dashkes @ 23.08.2009. 21:47 ] @
Pokusajte samo skeniranje foldera Documents and Settings i WINDOWS, to ne bi trajalo dugo.
I ako moze log RootRepeal-a 1. Skinite sa http://rootrepeal.googlepages.com/RootRepeal.rar 2. Odradite sve kao na slici prateci postupke po broju  [ vana077 @ 23.08.2009. 23:06 ] @
Jednostavno nece sa RootRepeal-a! Tri puta sam pokusavala, ali jednostavno pokrene inicializaciju i tu stane, i to onda traje i traje i onda se pojavi pescanik i zamrzne sve, pa sam restartovala racunar. Pokusacu jos jednom veceras, ali cini mi se da ste rekli da bi to trebalo biti brzo, a ovo je jako dugo trajalo
[ Dashkes @ 23.08.2009. 23:14 ] @
[ vana077 @ 24.08.2009. 07:38 ] @
Evo od GMER-a, bogme i to trajalo skoro celu noc :)
Kaze da ima jedan Rootkit GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net Rootkit scan 2009-08-24 05:18:46 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF2B766B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF2B76574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF2B76A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF2B7614C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF2B7664E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF2B7608C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF2B760F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF2B7676E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF2B7672E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF2B768AE] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1464] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 03501047 C:\WINDOWS\mark_32.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[912] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002 IAT C:\WINDOWS\system32\services.exe[912] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] eorfdpwuq <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@DisplayName Task Shell Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\eorfdpwuq\Parameters@ServiceDll C:\WINDOWS\system32\lzdrcpa.dll Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@DisplayName Task Shell Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq@Description Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\eorfdpwuq\Parameters@ServiceDll C:\WINDOWS\system32\lzdrcpa.dll ---- EOF - GMER 1.0.15 ---- PS: I da, opet se pojavio mark32.dll, pakujem ga u rar sa passwordom virus i saljem PP [ Dashkes @ 24.08.2009. 08:53 ] @
Pogledajte ako mozete da li ima u folderu C:\WINDOWS\System32\Drivers\ fajl eorfdpwuq.sys preko GMER-a (tab ">>>" > Files). Ako ima, zamolio bih Vas da mi ga posaljete, kao i fajl C:\WINDOWS\system32\lzdrcpa.dll.
Fajl koji ste mi poslali - C:\WINDOWS\mark_32.dll Kliknite na tab ">>>" > CMD > izaberite CMD.EXE Prekopirajte sledece u gornje polje i kliknite Run Code: gmer.exe -killall gmer.exe -del service eorfdpwuq gmer.exe -killfile "C:\WINDOWS\System32\Drivers\eorfdpwuq.sys" gmer.exe -killfile "C:\WINDOWS\system32\lzdrcpa.dll" gmer.exe -killfile "C:\WINDOWS\mark_32.dll" gmer.exe -del file "C:\WINDOWS\System32\Drivers\eorfdpwuq.sys" gmer.exe -del file "C:\WINDOWS\system32\lzdrcpa.dll" gmer.exe -del file "C:\WINDOWS\mark_32.dll" gmer.exe -reboot [ vana077 @ 24.08.2009. 10:44 ] @
Izgleda da sam ja brza nego sto treba :)
Po savetu Kristi 1 sam uradila log ComboFix. Nema fajlova koje vi trazite, ali moguce da su sada obrisani sa Combo-om. Log izgleda ovako (mnooogo je dugacak): ComboFix 09-08-23.01 - Internet Nanny 24.08.2009 11:25.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.733 [GMT 2:00] Running from: c:\documents and settings\Internet Nanny\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1351 [VPS 090823-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\AskSearch\bin\DefaultSearch.dll c:\windows\Fonts\Wphv07nb.ttf c:\windows\mark_32.dll c:\windows\ph401.dll c:\windows\system32\xwr42648.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MYWEBSEARCHSERVICE ((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 ))))))))))))))))))))))))))))))) . 2009-08-23 18:44 . 2009-08-23 18:44 -------- d-----w- c:\program files\Trend Micro 2009-08-23 15:45 . 2009-08-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-23 15:45 . 2009-08-23 15:48 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-12 01:01 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-08-12 01:00 . 2009-08-12 01:00 -------- d-----w- c:\windows\ServicePackFiles 2009-08-09 01:04 . 2009-08-09 01:04 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-09 01:03 . 2009-08-09 01:03 -------- d-----w- c:\program files\Reference Assemblies 2009-08-09 01:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-09 01:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-09 01:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-09 01:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-09 01:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-09 01:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-09 01:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-09 01:00 . 2009-08-09 01:00 -------- d-----w- c:\program files\MSXML 6.0 2009-08-01 18:15 . 2009-08-01 18:15 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Temp 2009-07-30 20:50 . 2009-07-30 20:50 -------- d-----w- c:\windows\Sun 2009-07-30 08:48 . 2009-07-30 08:48 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-30 08:48 . 2009-07-30 08:48 -------- d-----w- c:\program files\Java 2009-07-30 08:48 . 2009-07-30 08:48 152576 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-07-30 07:40 . 2009-07-16 12:02 52224 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll 2009-07-30 07:40 . 2009-07-16 12:02 114688 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\npmozax.dll 2009-07-30 07:37 . 2009-03-24 12:43 43008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll 2009-07-30 07:37 . 2009-03-24 12:43 43008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2009-07-30 07:37 . 2009-03-24 12:43 235520 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll 2009-07-30 07:37 . 2009-03-24 12:43 338432 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2009-07-30 07:37 . 2009-03-24 12:42 235008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll 2009-07-30 07:37 . 2009-03-24 12:42 345088 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2009-07-30 07:25 . 2009-07-30 07:25 0 ----a-w- c:\windows\nsreg.dat 2009-07-30 07:25 . 2009-07-30 07:25 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Mozilla 2009-07-30 07:17 . 2009-07-30 07:17 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Opera 2009-07-30 07:15 . 2009-07-30 07:16 7562568 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Opera\Opera\Opera_964_int_Setup.exe 2009-07-28 17:15 . 2009-07-28 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-07-28 17:02 . 2009-08-24 06:45 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\skypePM 2009-07-28 17:02 . 2009-07-28 17:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-07-28 17:00 . 2009-08-24 09:31 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\Skype 2009-07-28 17:00 . 2009-07-28 17:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\program files\Common Files\Skype 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----r- c:\program files\Skype 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-23 20:01 . 2009-05-27 13:26 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\uTorrent 2009-08-21 22:41 . 2008-12-24 17:27 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin 2009-08-19 16:25 . 2008-12-24 17:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-19 16:23 . 2009-06-22 17:59 -------- d-----w- c:\program files\Dr.Kawashima 2009-08-17 16:10 . 2008-12-24 20:51 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-12-24 20:51 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-12-24 20:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-12-24 20:51 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-12-24 20:51 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-12-24 20:51 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-12-24 20:51 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-12-24 20:51 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-12-24 20:51 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-09 05:41 . 2008-12-25 09:55 395848 ----a-w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 01:03 . 2008-12-24 19:16 -------- d-----w- c:\program files\MSBuild 2009-08-05 09:11 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-30 07:17 . 2009-01-02 20:21 -------- d-----w- c:\program files\Opera 2009-07-28 17:01 . 2009-03-01 19:44 -------- d-----w- c:\program files\Google 2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 19:31 . 2009-06-02 18:20 -------- d-----w- c:\program files\The_Pirate_Bay 2009-07-13 00:18 . 2004-08-03 23:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-28 19:05 . 2009-06-28 18:49 104070 ----a-w- c:\windows\hpoins04.dat 2009-06-28 18:55 . 2009-06-28 18:49 -------- d-----w- c:\program files\HP 2009-06-28 18:54 . 2009-06-28 18:54 -------- d-----w- c:\program files\Common Files\HP 2009-06-28 18:53 . 2009-06-28 18:53 -------- d-----w- c:\program files\Hewlett-Packard 2009-06-28 18:53 . 2009-06-28 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard 2009-06-28 18:52 . 2009-06-28 18:52 45056 ----a-r- c:\documents and settings\Internet Nanny\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe 2009-06-28 17:10 . 2009-06-28 15:12 10134 ----a-r- c:\documents and settings\Internet Nanny\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe 2009-06-28 14:47 . 2009-06-28 14:47 -------- d-----w- c:\program files\Common Files\Hewlett-Packard 2009-06-26 16:18 . 2004-08-03 23:56 659456 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:18 . 2004-08-03 23:56 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-25 18:36 . 2004-08-03 23:56 95744 ----a-w- c:\windows\system32\mqsec.dll 2009-06-25 18:36 . 2004-08-03 23:56 661504 ----a-w- c:\windows\system32\mqqm.dll 2009-06-25 18:36 . 2004-08-03 23:56 517120 ----a-w- c:\windows\system32\mqsnap.dll 2009-06-25 18:36 . 2004-08-03 23:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll 2009-06-25 18:36 . 2004-08-03 23:56 471552 ----a-w- c:\windows\system32\mqutil.dll 2009-06-25 18:36 . 2004-08-03 23:56 47104 ----a-w- c:\windows\system32\mqdscli.dll 2009-06-25 18:36 . 2004-08-03 23:56 225280 ----a-w- c:\windows\system32\mqoa.dll 2009-06-25 18:36 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\mqtrig.dll 2009-06-25 18:36 . 2004-08-03 23:56 177152 ----a-w- c:\windows\system32\mqrt.dll 2009-06-25 18:36 . 2004-08-03 23:56 16896 ----a-w- c:\windows\system32\mqise.dll 2009-06-25 18:36 . 2004-08-03 23:56 138240 ----a-w- c:\windows\system32\mqad.dll 2009-06-25 18:36 . 2004-08-03 23:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll 2009-06-25 08:44 . 2004-08-03 23:56 59392 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:44 . 2004-08-03 23:56 56320 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:44 . 2004-08-03 23:56 168448 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:44 . 2004-08-03 23:56 724480 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:44 . 2004-08-03 23:56 298496 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:44 . 2004-08-03 23:56 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-22 11:49 . 2004-08-03 23:56 19968 ----a-w- c:\windows\system32\mqbkup.exe 2009-06-22 11:49 . 2004-08-03 23:56 117248 ----a-w- c:\windows\system32\mqtgsvc.exe 2009-06-22 11:49 . 2004-08-03 23:56 4608 ----a-w- c:\windows\system32\mqsvc.exe 2009-06-22 11:48 . 2004-08-03 21:58 91776 ----a-w- c:\windows\system32\drivers\mqac.sys 2009-06-22 11:34 . 2004-08-03 21:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2004-08-03 23:56 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 11:50 . 2004-08-03 23:56 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 11:50 . 2004-08-03 23:56 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:21 . 2004-08-03 23:56 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2004-08-03 23:56 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 07:42 . 2008-12-24 17:13 655872 ----a-w- c:\windows\system32\mstscax.dll 2009-06-03 19:27 . 2004-08-03 23:56 1290752 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a33fa729-d155-4b23-842b-2c665ecabdb6}] 2009-07-14 19:31 2215960 ----a-w- c:\program files\The_Pirate_Bay\tbThe1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A33FA729-D155-4B23-842B-2C665ECABDB6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920] "ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-06-01 380928] "GameFace Messenger"="c:\program files\GameFace Messenger\GameFace.exe" [2006-11-01 2154496] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-30 148888] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-10 1626112] "C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2003-03-20 1855488] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-1-9 25214] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "e:\\igre novije\\C&C\\ZH\\game.dat"= "d:\\Igre\\ZooT\\zt.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2940:TCP"= 2940:TCP:dgllgi "10304:TCP"= 10304:TCP:Utorrent R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24.12.2008 22:51 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24.12.2008 22:51 20560] S2 eorfdpwuq;Task Shell;c:\windows\system32\svchost.exe -k netsvcs [4.8.2004 1:56 14336] S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [27.5.2009 15:27 234888] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs eorfdpwuq . Contents of the 'Scheduled Tasks' folder 2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 17:00] 2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 17:00] . - - - - ORPHANS REMOVED - - - - WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll HKLM-Run-TQ566808 - F:\setup.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html TCP: {A47073BA-E1CD-4EF9-B9E2-A6DD58D30A33} = 10.10.10.51,10.10.10.52 FF - ProfilePath - c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - The Pirate Bay Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q= FF - component: c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-24 11:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eorfdpwuq] "ServiceDll"="c:\windows\system32\lzdrcpa.dll" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3932) c:\windows\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\rundll32.exe c:\windows\ATKKBService.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\slserv.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\msiexec.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2009-08-24 11:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-24 09:34 Pre-Run: 1.059.758.080 bytes free Post-Run: 1.537.912.832 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer 322 --- E O F --- 2009-08-23 08:22 [ Dashkes @ 24.08.2009. 10:57 ] @
Ok, ja ne radim sa Combofix-om, ali bih rekao da je to to, nisam siguran. Da li ste odradili ono sto sam Vam rekao u vezi GMER-a? Da li se jos uvek pojavljuju procesi?
[ vana077 @ 24.08.2009. 11:04 ] @
Pri dizanju sistema vise nije bilo IEEXPLORE.EXE!!!
Nisam uradila nista sa GMER-om, videla sam samo poruku od Kristi1, nisam videla vasu na vreme. HVALA vam puuuuno na pomoci, nemate pojma koliko sam vam zahvalna na vasem trudu i vremenu! Da ne bih dosla ponovo u ovu situaciju (a moguce je da cu doci pored troje dece na racunaru), koju mi zastitu preporucujete, sa obzirom da Avast nije pronasao fajl mark32.dll? Hvala puno! [ Dashkes @ 24.08.2009. 11:16 ] @
Odradite to sa GMER-om za svaki slucaj. Ja bih Vam najpre preporucio da procitate sledeci jako koristan post - http://www.elitesecurity.org/p2355299
Kao sto vidite, mark_32.dll je prepoznalo samo 12.20% antivirusa medju kojima nisu "vodeci lideri" (osim AVG-a). Ja licno koristim Dr.Web. Nema na cemu, mi smo tu da Vam pomognemo. P.S. Sacekajte samo malo, kristi1 ce za nekoliko minuta da pregleda Combofix log. [ vana077 @ 24.08.2009. 12:06 ] @
Uradila sam ono sa GMER-om i pisalo je da sistem ne moze da pronadje te fajlove. Posle toga nije hteo da uradi restart, malo se smrzo :), pa sam sama restartovala posle nekih 15 minuta.
Hvala i na savetu! [ kristi1 @ 24.08.2009. 13:04 ] @
@vana077 otvori notepad i iskopiraj sledeci tekst iz code taga. Ugasi AV!
Code: Driver:: eorfdpwuq NetSvc:: eorfdpwuq Snimi ga na desktop pod imenom CFScript Zatim levim klikom misa prevuci skriptu na ikonicu Combofixa  Kad zavrsi skeniranje\ ciscenje, postavi mi novi log. [ vana077 @ 24.08.2009. 14:54 ] @
Evo, uradila kako ste rekli:
ComboFix 09-08-23.01 - Internet Nanny 24.08.2009 15:42.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.405 [GMT 2:00] Running from: c:\documents and settings\Internet Nanny\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Internet Nanny\Desktop\CFScript.txt AV: avast! antivirus 4.8.1351 [VPS 090823-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_EORFDPWUQ ((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 ))))))))))))))))))))))))))))))) . 2009-08-23 18:44 . 2009-08-23 18:44 -------- d-----w- c:\program files\Trend Micro 2009-08-23 15:45 . 2009-08-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-23 15:45 . 2009-08-23 15:48 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-12 01:01 . 2004-08-03 23:56 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-08-12 01:00 . 2009-08-12 01:00 -------- d-----w- c:\windows\ServicePackFiles 2009-08-09 01:04 . 2009-08-09 01:04 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-09 01:03 . 2009-08-09 01:03 -------- d-----w- c:\program files\Reference Assemblies 2009-08-09 01:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-09 01:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-09 01:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-09 01:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-09 01:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-09 01:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-09 01:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-09 01:00 . 2009-08-09 01:00 -------- d-----w- c:\program files\MSXML 6.0 2009-08-01 18:15 . 2009-08-01 18:15 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Temp 2009-07-30 20:50 . 2009-07-30 20:50 -------- d-----w- c:\windows\Sun 2009-07-30 08:48 . 2009-07-30 08:48 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-07-30 08:48 . 2009-07-30 08:48 -------- d-----w- c:\program files\Java 2009-07-30 08:48 . 2009-07-30 08:48 152576 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-07-30 07:40 . 2009-07-16 12:02 52224 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll 2009-07-30 07:40 . 2009-07-16 12:02 114688 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\npmozax.dll 2009-07-30 07:37 . 2009-03-24 12:43 43008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll 2009-07-30 07:37 . 2009-03-24 12:43 43008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2009-07-30 07:37 . 2009-03-24 12:43 235520 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll 2009-07-30 07:37 . 2009-03-24 12:43 338432 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2009-07-30 07:37 . 2009-03-24 12:42 235008 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll 2009-07-30 07:37 . 2009-03-24 12:42 345088 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2009-07-30 07:25 . 2009-07-30 07:25 0 ----a-w- c:\windows\nsreg.dat 2009-07-30 07:25 . 2009-07-30 07:25 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Mozilla 2009-07-30 07:17 . 2009-07-30 07:17 -------- d-----w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\Opera 2009-07-30 07:15 . 2009-07-30 07:16 7562568 ----a-w- c:\documents and settings\Internet Nanny\Application Data\Opera\Opera\Opera_964_int_Setup.exe 2009-07-28 17:15 . 2009-07-28 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google 2009-07-28 17:02 . 2009-08-24 06:45 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\skypePM 2009-07-28 17:02 . 2009-07-28 17:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-07-28 17:00 . 2009-08-24 11:03 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\Skype 2009-07-28 17:00 . 2009-07-28 17:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\program files\Common Files\Skype 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----r- c:\program files\Skype 2009-07-28 16:59 . 2009-07-28 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-23 20:01 . 2009-05-27 13:26 -------- d-----w- c:\documents and settings\Internet Nanny\Application Data\uTorrent 2009-08-21 22:41 . 2008-12-24 17:27 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin 2009-08-19 16:25 . 2008-12-24 17:27 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-19 16:23 . 2009-06-22 17:59 -------- d-----w- c:\program files\Dr.Kawashima 2009-08-17 16:10 . 2008-12-24 20:51 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-08-17 16:06 . 2008-12-24 20:51 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-08-17 16:06 . 2008-12-24 20:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-08-17 16:05 . 2008-12-24 20:51 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-08-17 16:05 . 2008-12-24 20:51 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-08-17 16:04 . 2008-12-24 20:51 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-08-17 16:04 . 2008-12-24 20:51 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-08-17 16:03 . 2008-12-24 20:51 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-08-17 16:02 . 2008-12-24 20:51 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-08-09 05:41 . 2008-12-25 09:55 395848 ----a-w- c:\documents and settings\Internet Nanny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-09 01:03 . 2008-12-24 19:16 -------- d-----w- c:\program files\MSBuild 2009-08-05 09:11 . 2004-08-03 23:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-30 07:17 . 2009-01-02 20:21 -------- d-----w- c:\program files\Opera 2009-07-28 17:01 . 2009-03-01 19:44 -------- d-----w- c:\program files\Google 2009-07-17 18:55 . 2004-08-03 23:56 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 19:31 . 2009-06-02 18:20 -------- d-----w- c:\program files\The_Pirate_Bay 2009-07-13 00:18 . 2004-08-03 23:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-28 19:05 . 2009-06-28 18:49 104070 ----a-w- c:\windows\hpoins04.dat 2009-06-28 18:55 . 2009-06-28 18:49 -------- d-----w- c:\program files\HP 2009-06-28 18:54 . 2009-06-28 18:54 -------- d-----w- c:\program files\Common Files\HP 2009-06-28 18:53 . 2009-06-28 18:53 -------- d-----w- c:\program files\Hewlett-Packard 2009-06-28 18:53 . 2009-06-28 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard 2009-06-28 18:52 . 2009-06-28 18:52 45056 ----a-r- c:\documents and settings\Internet Nanny\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe 2009-06-28 17:10 . 2009-06-28 15:12 10134 ----a-r- c:\documents and settings\Internet Nanny\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe 2009-06-28 14:47 . 2009-06-28 14:47 -------- d-----w- c:\program files\Common Files\Hewlett-Packard 2009-06-26 16:18 . 2004-08-03 23:56 659456 ------w- c:\windows\system32\wininet.dll 2009-06-26 16:18 . 2004-08-03 23:56 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-06-25 18:36 . 2004-08-03 23:56 95744 ----a-w- c:\windows\system32\mqsec.dll 2009-06-25 18:36 . 2004-08-03 23:56 661504 ----a-w- c:\windows\system32\mqqm.dll 2009-06-25 18:36 . 2004-08-03 23:56 517120 ----a-w- c:\windows\system32\mqsnap.dll 2009-06-25 18:36 . 2004-08-03 23:56 48640 ----a-w- c:\windows\system32\mqupgrd.dll 2009-06-25 18:36 . 2004-08-03 23:56 471552 ----a-w- c:\windows\system32\mqutil.dll 2009-06-25 18:36 . 2004-08-03 23:56 47104 ----a-w- c:\windows\system32\mqdscli.dll 2009-06-25 18:36 . 2004-08-03 23:56 225280 ----a-w- c:\windows\system32\mqoa.dll 2009-06-25 18:36 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\mqtrig.dll 2009-06-25 18:36 . 2004-08-03 23:56 177152 ----a-w- c:\windows\system32\mqrt.dll 2009-06-25 18:36 . 2004-08-03 23:56 16896 ----a-w- c:\windows\system32\mqise.dll 2009-06-25 18:36 . 2004-08-03 23:56 138240 ----a-w- c:\windows\system32\mqad.dll 2009-06-25 18:36 . 2004-08-03 23:56 123392 ----a-w- c:\windows\system32\mqrtdep.dll 2009-06-25 08:44 . 2004-08-03 23:56 59392 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:44 . 2004-08-03 23:56 56320 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:44 . 2004-08-03 23:56 168448 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:44 . 2004-08-03 23:56 724480 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:44 . 2004-08-03 23:56 298496 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:44 . 2004-08-03 23:56 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-22 11:49 . 2004-08-03 23:56 19968 ----a-w- c:\windows\system32\mqbkup.exe 2009-06-22 11:49 . 2004-08-03 23:56 117248 ----a-w- c:\windows\system32\mqtgsvc.exe 2009-06-22 11:49 . 2004-08-03 23:56 4608 ----a-w- c:\windows\system32\mqsvc.exe 2009-06-22 11:48 . 2004-08-03 21:58 91776 ----a-w- c:\windows\system32\drivers\mqac.sys 2009-06-22 11:34 . 2004-08-03 21:59 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2004-08-03 23:56 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 11:50 . 2004-08-03 23:56 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 11:50 . 2004-08-03 23:56 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:21 . 2004-08-03 23:56 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2004-08-03 23:56 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 07:42 . 2008-12-24 17:13 655872 ----a-w- c:\windows\system32\mstscax.dll 2009-06-03 19:27 . 2004-08-03 23:56 1290752 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-24_09.31.20 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-24 13:49 . 2009-08-24 13:49 16384 c:\windows\Temp\Perflib_Perfdata_884.dat + 2009-08-24 13:47 . 2009-08-24 13:47 16384 c:\windows\Temp\Perflib_Perfdata_758.dat + 2009-08-24 13:48 . 2009-08-24 13:48 16384 c:\windows\Temp\Perflib_Perfdata_330.dat + 2009-08-24 13:49 . 2005-04-08 07:51 40960 c:\windows\system32\spool\drivers\w32x86\hpofax08.dll - 2009-08-24 09:31 . 2005-04-08 07:51 40960 c:\windows\system32\spool\drivers\w32x86\hpofax08.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a33fa729-d155-4b23-842b-2c665ecabdb6}] 2009-07-14 19:31 2215960 ----a-w- c:\program files\The_Pirate_Bay\tbThe1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{a33fa729-d155-4b23-842b-2c665ecabdb6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A33FA729-D155-4B23-842B-2C665ECABDB6}"= "c:\program files\The_Pirate_Bay\tbThe1.dll" [2009-07-14 2215960] [HKEY_CLASSES_ROOT\clsid\{a33fa729-d155-4b23-842b-2c665ecabdb6}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920] "ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-06-01 380928] "GameFace Messenger"="c:\program files\GameFace Messenger\GameFace.exe" [2006-11-01 2154496] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 176128] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-30 148888] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-10 1626112] "C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2003-03-20 1855488] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-1-9 25214] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "e:\\igre novije\\C&C\\ZH\\game.dat"= "d:\\Igre\\ZooT\\zt.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "2940:TCP"= 2940:TCP:dgllgi "10304:TCP"= 10304:TCP:Utorrent R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24.12.2008 22:51 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24.12.2008 22:51 20560] S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [27.5.2009 15:27 234888] . Contents of the 'Scheduled Tasks' folder 2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 17:00] 2009-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 17:00] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html TCP: {A47073BA-E1CD-4EF9-B9E2-A6DD58D30A33} = 10.10.10.51,10.10.10.52 FF - ProfilePath - c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - The Pirate Bay Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q= FF - component: c:\documents and settings\Internet Nanny\Application Data\Mozilla\Firefox\Profiles\tgkm7d2a.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-24 15:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(684) c:\windows\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\ATKKBService.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\slserv.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\rundll32.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\windows\system32\msiexec.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Completion time: 2009-08-24 15:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-24 13:51 ComboFix2.txt 2009-08-24 09:34 Pre-Run: 1.519.546.368 bytes free Post-Run: 1.440.284.672 bytes free 312 --- E O F --- 2009-08-23 08:22 [ kristi1 @ 24.08.2009. 16:32 ] @
Ok, racunar je cist, ima li sada nekih problema. Ako nema deinstaliraj Combofix
Start \ Run \ prekopiraj ovo Combofix /u pa ok. [ vana077 @ 24.08.2009. 16:35 ] @
Nema vise nikakvih problema. Pri pokretanju sistema nema IEEXPLORE.EXE, a i racunar kao da mi brze radi :) Nema onih silnih procesa i memorija mu vise nije puna. Idealno! :)
Puno, puno hvala! PS: odinstalirala sam Combo onako kako ste rekli [ vana077 @ 25.08.2009. 10:16 ] @
:(
Moja sreca je kratko trajala. Evo, jutros se vratio IEEXPLORE.EXE i racunar i veza sa internetom su mi u potpunom haosu. Imam kablovski internet i stalno me izbacuje, onda moram da restartujem racunar da bih ponovo dobila vezu. Iskljucila sam vecinu stvari osim browsera, da ne vuce internet, ali svejedno je sve usporeno. Da li da reinstaliram software? Hoce mozda to pomoci ili ce to jos vise pogorsati stvar? [ kristi1 @ 25.08.2009. 12:20 ] @
Nemas li neku flesku da si ubadala u komp u medjuvremenu. Onaj rootkit smo uklonili, nista maliciozno nema u CF logu.
Ajde da idradimo jos jednu proveru za svaki slucaj, skini http://download.bleepingcomputer.com/sUBs/dds.scr Pokreni ga sacekaj malo da izbaci logove i zakaci mi log pod nazivom DDS.txt [ vana077 @ 25.08.2009. 13:28 ] @
Nisam ubacivala nikakav USB, ali moguce da je proslo kroz mrezu od drugog racunara.
Evo ga log: svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\GameFace Messenger\GameFace.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\Mixer.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe svchost.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Internet Nanny\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - c:\windows\system32\shdocvw.dll EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe mRun: [GameFace Messenger] c:\program files\gameface messenger\GameFace.exe mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [C-Media Mixer] Mixer.exe /startup mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [WinampAgent] c:\program files\winamp\winampa.exe mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe" mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: {A47073BA-E1CD-4EF9-B9E2-A6DD58D30A33} = 10.10.10.51,10.10.10.52 Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\intern~1\applic~1\mozilla\firefox\profiles\tgkm7d2a.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - The Pirate Bay Customized Web Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q= FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-24 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-24 20560] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-12-24 138680] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-12-24 254040] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-12-24 352920] R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-12-24 10752] S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-5-27 234888] =============== Created Last 30 ================ 2009-08-24 17:41 <DIR> --ds---- C:\ComboFix 2009-08-24 11:33 <DIR> -cd----- c:\windows\system32\dllcache\cache 2009-08-24 11:24 <DIR> a-dshr-- C:\cmdcons 2009-08-23 20:44 <DIR> --d----- c:\program files\Trend Micro 2009-08-23 17:45 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-08-23 17:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-08-12 03:01 221,184 a------- c:\windows\system32\wmpns.dll 2009-08-12 03:00 <DIR> --d----- c:\windows\ServicePackFiles 2009-08-09 03:04 <DIR> --d----- c:\windows\system32\XPSViewer 2009-08-09 03:03 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll 2009-08-09 03:03 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-09 03:03 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-09 03:03 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-09 03:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2009-08-09 03:03 575,488 -------- c:\windows\system32\xpsshhdr.dll 2009-08-09 03:03 117,760 -------- c:\windows\system32\prntvpt.dll 2009-08-09 03:00 <DIR> --d----- c:\program files\MSXML 6.0 2009-07-30 10:48 73,728 a------- c:\windows\system32\javacpl.cpl 2009-07-30 10:48 410,984 a------- c:\windows\system32\deploytk.dll 2009-07-30 10:39 <DIR> --d----- c:\windows\system32\appmgmt 2009-07-30 00:49 303 a------- c:\windows\ST6UNST.001 2009-07-30 00:49 303 a------- c:\windows\ST6UNST.000 2009-07-28 19:02 56 a---h--- c:\windows\system32\ezsidmv.dat 2009-07-28 18:59 <DIR> --d--r-- c:\program files\Skype ==================== Find3M ==================== 2009-08-22 00:41 196,608 a------- c:\windows\system32\drivers\nStandard.bin 2009-08-05 11:11 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-07-17 20:55 58,880 a------- c:\windows\system32\atl.dll 2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll 2009-06-28 21:05 104,070 a------- c:\windows\hpoins04.dat 2009-06-26 18:18 659,456 -------- c:\windows\system32\wininet.dll 2009-06-26 18:18 81,920 a------- c:\windows\system32\ieencode.dll 2009-06-25 20:36 661,504 a------- c:\windows\system32\mqqm.dll 2009-06-25 20:36 517,120 a------- c:\windows\system32\mqsnap.dll 2009-06-25 20:36 471,552 a------- c:\windows\system32\mqutil.dll 2009-06-25 20:36 225,280 a------- c:\windows\system32\mqoa.dll 2009-06-25 20:36 186,880 a------- c:\windows\system32\mqtrig.dll 2009-06-25 20:36 177,152 a------- c:\windows\system32\mqrt.dll 2009-06-25 20:36 138,240 a------- c:\windows\system32\mqad.dll 2009-06-25 20:36 123,392 a------- c:\windows\system32\mqrtdep.dll 2009-06-25 20:36 95,744 a------- c:\windows\system32\mqsec.dll 2009-06-25 20:36 48,640 a------- c:\windows\system32\mqupgrd.dll 2009-06-25 20:36 47,104 a------- c:\windows\system32\mqdscli.dll 2009-06-25 20:36 16,896 a------- c:\windows\system32\mqise.dll 2009-06-25 10:44 724,480 a------- c:\windows\system32\lsasrv.dll 2009-06-25 10:44 298,496 a------- c:\windows\system32\kerberos.dll 2009-06-25 10:44 168,448 a------- c:\windows\system32\schannel.dll 2009-06-25 10:44 133,632 a------- c:\windows\system32\msv1_0.dll 2009-06-25 10:44 59,392 a------- c:\windows\system32\wdigest.dll 2009-06-25 10:44 56,320 a------- c:\windows\system32\secur32.dll 2009-06-22 13:49 117,248 a------- c:\windows\system32\mqtgsvc.exe 2009-06-22 13:49 19,968 a------- c:\windows\system32\mqbkup.exe 2009-06-22 13:49 4,608 a------- c:\windows\system32\mqsvc.exe 2009-06-16 16:55 119,808 a------- c:\windows\system32\t2embed.dll 2009-06-16 16:55 82,432 a------- c:\windows\system32\fontsub.dll 2009-06-12 13:50 80,896 a------- c:\windows\system32\tlntsess.exe 2009-06-12 13:50 76,288 a------- c:\windows\system32\telnet.exe 2009-06-10 16:21 84,992 a------- c:\windows\system32\avifil32.dll 2009-06-10 08:32 132,096 a------- c:\windows\system32\wkssvc.dll 2009-06-05 09:42 655,872 a------- c:\windows\system32\mstscax.dll 2009-06-03 21:27 1,290,752 a------- c:\windows\system32\quartz.dll 2001-11-23 07:08 712,704 a----r-- c:\windows\inf\other\AUDIO3D.DLL ============= FINISH: 14:24:00,15 =============== PS: da bih uopste mogla da radim na racunaru, ugasila sam u procesima IEEXPLORE.EXE. Kad je on u procesima, skoro da je nemoguce ukljuciti brows. [ kristi1 @ 25.08.2009. 17:22 ] @
Moguce kad si ga iskljucila, zato ga ja ni ne vidim u logu. Probaj da ga rucno obrises, ukljuci prikazivanje skrivenih fajlova i foldera. pa ga obrisi, sad kad je iskljucen.
[ Dashkes @ 25.08.2009. 18:11 ] @
Skenirajte sa Dr.Web CureIt!-om racunar, sada prepoznaje zarazu.
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.
|
