problem sa W32/Autorun.worm!kg!D2C126E52A98

[ gogi100 @ 18.03.2011. 08:23 ] @

dakle cistio sam ovu gamad remove it pro, malwarebytes i kaspersky rescue diskom 10 http://www.threatexpert.com/re...0437420c2778227ee5db9ab99404d4 kad sam zavrsio pomocu hijackthis napravio sam log. molim da mi kazete da li se iz ovog log fajla moze videti da li ima ili ne virusa.

hvala

Citat:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:19:02 AM, on 3/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HPPQVideo] "C:\Program Files\HP\ScheduledLaunch\HP LaserJet P2050 Series\bin\hppschlnch.exe" -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\LJ_P2050_Series -f PQOptimizerVideo.xml -o RemindLater
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O8 - Extra context menu item: Iz&vezi u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

--
End of file - 5632 bytes

[ kristi1 @ 18.03.2011. 08:29 ] @

Iz tog loga ne moze da se vidi. Uradi ovako:

Preuzmi DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds,kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt
Oba izvestaja sacuvaj na Desktop.
Kopiraj mi DDS.txt

[ gogi100 @ 18.03.2011. 10:30 ] @

zakacio sam dds. primetio sam da fajlovi tipa ctxfix i anarchylib koji karakterisu ovu gamad se ne vide ovako,ali kad pokrenem hirens boot 13 mini windows oni i dalje postoje

[ kristi1 @ 18.03.2011. 12:50 ] @

Moraces da deinstaliras AVG jer sledeci alat ne radi sa tim antivirusom. Ja bih ti preporucio da posle instaliras Avast6 jer je po meni bolji od AVG-a.

Preuzmi ComboFix sa sledece adrese na Desktop:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Pokreni Combofix iskljucivo sa desktopa
Na svaki popup prozor klikci Yes \ Ok

Kad zavrsi skeniranje izbacice ti log na desktop

Kopiraj mi log ovde.

[ gogi100 @ 18.03.2011. 14:02 ] @

evo kako izgleda log combofix-a

Citat:

ComboFix 11-03-17.02 - Administrator 03/18/2011 15:02:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1617 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\HPPDEVX.DLL.log
c:\windows\AnarchyIRCLib.dll
c:\windows\lsasc.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-18 to 2011-03-18 )))))))))))))))))))))))))))))))
.
.
2011-03-16 12:12 . 2011-03-16 12:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-16 09:12 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-03-16 08:58 . 2011-03-16 08:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-15 10:33 . 2011-03-15 10:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-09 05:54 . 2011-02-09 13:53 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-03-09 05:54 . 2011-02-09 13:53 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-03-09 05:54 . 2011-02-02 07:58 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-03-09 05:54 . 2011-01-27 11:57 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-03-04 09:52 . 2010-03-13 11:49 125952 --sha-r- c:\windows\ctxfix.exe
2011-02-28 10:42 . 2011-02-28 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Monotype Imaging
2011-02-28 10:34 . 2011-02-28 10:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Monotype Imaging
2011-02-28 10:33 . 2010-11-25 13:49 28672 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\TSKppr.dll
2011-02-28 10:33 . 2010-11-25 13:49 61440 ----a-w- c:\windows\system32\TSKMON.DLL
2011-02-17 10:36 . 2011-02-17 10:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-02-17 10:18 . 2011-02-17 10:18 -------- d-----w- c:\program files\InCode Solutions
2011-02-17 09:28 . 2010-08-27 05:57 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2011-02-17 09:27 . 2008-05-09 10:53 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2011-02-17 09:27 . 2008-05-09 10:53 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2011-02-17 09:27 . 2008-05-09 10:53 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2011-02-17 09:27 . 2008-05-09 08:45 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2011-02-17 09:27 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2011-02-17 09:27 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2011-02-17 09:27 . 2010-08-17 13:17 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2011-02-17 09:27 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-17 09:26 . 2010-07-16 12:05 1288192 -c----w- c:\windows\system32\dllcache\ole32.dll
2011-02-17 09:26 . 2010-06-18 17:45 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2011-02-17 09:25 . 2010-04-16 15:36 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2011-02-17 09:25 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
2011-02-17 09:25 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2011-02-17 09:25 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
2011-02-17 09:25 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
2011-02-17 09:25 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
2011-02-17 09:25 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
2011-02-17 09:25 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-02-17 09:25 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-02-17 09:24 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-02-17 09:22 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-17 09:18 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-02-16 14:22 . 2011-02-16 14:22 -------- d-----w- c:\program files\UPHClean
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-03 23:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-11-14 11:32 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-21 14:44 . 2004-08-03 23:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-03 23:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2007-03-21 10:10 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2007-03-21 10:09 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2007-03-21 10:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2007-03-21 10:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2007-03-21 10:09 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 17:09 . 2011-02-16 13:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 17:08 . 2011-02-16 13:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 12:55 . 2007-03-21 10:11 385024 ----a-w- c:\windows\system32\html.iec
2010-03-13 11:49 125952 --sha-r- c:\windows\ctxfix.exe
2008-04-14 04:42 64000 --sha-r- c:\windows\system32\cleanmgr.exe
2008-04-14 04:42 180224 --sha-r- c:\windows\system32\dwwin.exe
2008-04-14 04:42 1200640 --sha-r- c:\windows\system32\ntbackup.exe
2008-04-14 04:42 380416 --sha-r- c:\windows\system32\Restore\rstrui.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-03-05 1044480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2009-03-08 128512]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTXFIXH]
2010-03-13 11:49 125952 --sha-r- c:\windows\ctxfix.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-05-07 09:38 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-04-02 11:06 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [11/14/2009 1:12 PM 24064]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [11/14/2009 1:32 PM 176640]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP LaserJet P2050 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\LJ_P2050_Series -f PQOptimizerVideo.xml
Notify-avgrsstarter - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-18 15:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-484763869-1004336348-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,53,97,25,0f,b3,e8,46,be,cf,08,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,53,97,25,0f,b3,e8,46,be,cf,08,\
.
Completion time: 2011-03-18 15:05:28
ComboFix-quarantined-files.txt 2011-03-18 14:05
.
Pre-Run: 46,501,826,560 bytes free
Post-Run: 47,459,467,264 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - F95A2842E8E3DA59723967B7FF418BD7

[ kristi1 @ 18.03.2011. 15:15 ] @

Otvori Notepad i kopiraj tekst koji se nalazi ispod:

Code:

File::
c:\windows\ctxfix.exe
c:\windows\system32\cleanmgr.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\ntbackup.exe
c:\windows\system32\Restore\rstrui.exe

RegLock::
[HKEY_USERS\S-1-5-21-484763869-1004336348-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,53,97,25,0f,b3,e8,46,be,cf,08,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,53,97,25,0f,b3,e8,46,be,cf,08,\

Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop

Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati ComboFix
Kada zavrsi,pojavice se log (C:\ComboFix.txt)

Posalji ComboFix log na uvid.

[ gogi100 @ 18.03.2011. 15:33 ] @

log je

Citat:

ComboFix 11-03-17.02 - Administrator 03/18/2011 16:29:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1678 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\windows\ctxfix.exe"
"c:\windows\system32\cleanmgr.exe"
"c:\windows\system32\dwwin.exe"
"c:\windows\system32\ntbackup.exe"
"c:\windows\system32\Restore\rstrui.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ctxfix.exe
.
Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe
.
Infected copy of c:\windows\system32\dwwin.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\dwwin.exe
.
Infected copy of c:\windows\system32\ntbackup.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntbackup.exe
.
Infected copy of c:\windows\system32\Restore\rstrui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rstrui.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-18 to 2011-03-18 )))))))))))))))))))))))))))))))
.
.
2011-03-16 12:12 . 2011-03-16 12:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-16 09:12 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-03-16 08:58 . 2011-03-16 08:58 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-03-15 10:33 . 2011-03-15 10:33 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-09 05:54 . 2011-02-09 13:53 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-03-09 05:54 . 2011-02-09 13:53 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-03-09 05:54 . 2011-02-02 07:58 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-03-09 05:54 . 2011-01-27 11:57 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-02-28 10:42 . 2011-02-28 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Monotype Imaging
2011-02-28 10:34 . 2011-02-28 10:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\Monotype Imaging
2011-02-28 10:33 . 2010-11-25 13:49 28672 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\TSKppr.dll
2011-02-28 10:33 . 2010-11-25 13:49 61440 ----a-w- c:\windows\system32\TSKMON.DLL
2011-02-17 10:36 . 2011-02-17 10:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-02-17 10:18 . 2011-02-17 10:18 -------- d-----w- c:\program files\InCode Solutions
2011-02-17 09:28 . 2010-08-27 05:57 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2011-02-17 09:27 . 2008-05-09 10:53 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2011-02-17 09:27 . 2008-05-09 10:53 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2011-02-17 09:27 . 2008-05-09 10:53 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2011-02-17 09:27 . 2008-05-09 08:45 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2011-02-17 09:27 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2011-02-17 09:27 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
2011-02-17 09:27 . 2010-08-17 13:17 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2011-02-17 09:27 . 2011-01-21 14:44 439296 -c----w- c:\windows\system32\dllcache\shimgvw.dll
2011-02-17 09:26 . 2010-07-16 12:05 1288192 -c----w- c:\windows\system32\dllcache\ole32.dll
2011-02-17 09:26 . 2010-06-18 17:45 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2011-02-17 09:25 . 2010-04-16 15:36 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2011-02-17 09:25 . 2010-11-09 14:52 249856 -c----w- c:\windows\system32\dllcache\odbc32.dll
2011-02-17 09:25 . 2010-11-09 14:52 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2011-02-17 09:25 . 2010-11-09 14:52 200704 -c----w- c:\windows\system32\dllcache\msadox.dll
2011-02-17 09:25 . 2010-11-09 14:52 180224 -c----w- c:\windows\system32\dllcache\msadomd.dll
2011-02-17 09:25 . 2010-11-09 14:52 143360 -c----w- c:\windows\system32\dllcache\msadco.dll
2011-02-17 09:25 . 2010-11-09 14:52 102400 -c----w- c:\windows\system32\dllcache\msjro.dll
2011-02-17 09:25 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-02-17 09:25 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-02-17 09:24 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-02-17 09:22 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-02-17 09:18 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-03 23:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-11-14 11:32 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-21 14:44 . 2004-08-03 23:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-03 23:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2007-03-21 10:10 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2007-03-21 10:09 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2007-03-21 10:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2007-03-21 10:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2007-03-21 10:09 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 17:09 . 2011-02-16 13:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 17:08 . 2011-02-16 13:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 12:55 . 2007-03-21 10:11 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-18_14.04.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 11:34 . 2008-04-14 04:42 380416 c:\windows\system32\dllcache\rstrui.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-18 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-03-05 1044480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2009-03-08 128512]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-05-07 09:38 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-04-02 11:06 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41 33792 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [11/14/2009 1:12 PM 24064]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [11/14/2009 1:32 PM 176640]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-CTXFIXH - c:\windows\ctxfix.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-18 16:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(244)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-18 16:36:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-18 15:36
ComboFix2.txt 2011-03-18 14:05
.
Pre-Run: 47,468,998,656 bytes free
Post-Run: 47,455,858,688 bytes free
.
- - End Of File - - 8FF0F0F511CADE28347C295B787AC2EF

[ kristi1 @ 18.03.2011. 15:40 ] @

Kakvo je stanje sada?

[ kristi1 @ 18.03.2011. 15:55 ] @

Preuzmi ovaj program na desktop da proverim nesto

http://jpshortstuff.247fixes.com/SystemLook.exe

Pokreni program i u prozoru kopiraj sledeci tekst:

Code:

:file
c:\windows\system32\dllcache\wscript.exe
c:\windows\system32\dllcache\ole32.dll
c:\windows\system32\dllcache\srvsvc.dll

Klikni na Look a zatim mi kopiraj log koji ce se pojaviti na desktopu.

[ gogi100 @ 18.03.2011. 19:43 ] @

ok to cu u ponedeljak jer mi je racunar na poslu

[ gogi100 @ 21.03.2011. 07:49 ] @

log iz systemlook

Citat:

SystemLook 04.09.10 by jpshortstuff
Log created at 08:54 on 21/03/2011 by Administrator
Administrator - Elevation successful

========== file ==========

c:\windows\system32\dllcache\wscript.exe - File found and opened.
MD5: CEA8F7E45B7B098F5FB085BB6A6A4432
Created at 09:27 on 17/02/2011
Modified at 11:24 on 08/05/2008
Size: 155648 bytes
Attributes: -----c-
FileDescription: Microsoft (R) Windows Based Script Host
FileVersion: 5.7.0.18066
ProductVersion: 5.7.0.18066
OriginalFilename: wscript.exe
InternalName: wscript.exe
ProductName: Microsoft (R) Windows Script Host
CompanyName: Microsoft Corporation
LegalCopyright: Copyright (C) Microsoft Corp. 1996-2006, All Rights Reserved

c:\windows\system32\dllcache\ole32.dll - File found and opened.
MD5: 7A6A7900B5E322763430BA6FD9A31224
Created at 09:26 on 17/02/2011
Modified at 12:05 on 16/07/2010
Size: 1288192 bytes
Attributes: -----c-
FileDescription: Microsoft OLE for Windows
FileVersion: 5.1.2600.6010 (xpsp_sp3_gdr.100712-1633)
ProductVersion: 5.1.2600.6010
OriginalFilename: OLE32.DLL
InternalName: OLE32.DLL
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\dllcache\srvsvc.dll - File found and opened.
MD5: 3A7C3CBE5D96B8AE96CE81F0B22FB527
Created at 09:28 on 17/02/2011
Modified at 05:57 on 27/08/2010
Size: 99840 bytes
Attributes: -----c-
FileDescription: Server Service DLL
FileVersion: 5.1.2600.6031 (xpsp_sp3_gdr.100826-1646)
ProductVersion: 5.1.2600.6031
OriginalFilename: SRVSVC.DLL
InternalName: SRVSVC.DLL
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

-= EOF =-

[ kristi1 @ 21.03.2011. 08:18 ] @

Ovi fajlovi su u redu, trebalo bi da je sve ok. Mozes deinstalirati Combofix.

Start > run > kopiraj sledece:

Combofix /Uninstall

Enter i potvrdi uninstall.

Instaliraj sledeci program http://amf.mycity.rs/programs/mc/mcshield/

On ce te zastititi od napada preko svih memoriskih kartica (flash drive).

Instaliraj antivirus, predlazem Avast6 jer je bolji od AVG-a

http://download.cnet.com/Avast...737&subj=dl&tag=button

[ gogi100 @ 21.03.2011. 08:29 ] @

izvini ja imam jedno malo komplikovano pitanje. ja na poslu imam bar deset radnih stanica sa ovim virusom. kako na svima da ocistim ovaj virus? malo je komplikovano da te gnjavim

[ kristi1 @ 21.03.2011. 09:31 ] @

Mozes da probas da ih ocistis sa ovim programom

http://majorgeeks.com/download...3ee0b20204960edfd909666f809b26

Znaci pokrenes program, dozvolis update i pustis quick scan, mozes i full (skenira kompletan HDD).

To je otprilike sta ti mozes. Combofix nemoj na svoju ruku da pokreces jer je CF profi alat i ukoliko ne znas ne cackaj sa njim.
Takodje mozes posle ciscenja da instaliras MCShield na svaki racunar, znaci da ih zastitis od zarazenih fleski.

[ gogi100 @ 29.03.2011. 13:45 ] @

molim za jos jednu pomoc. imao sam jos jedan racunar pod win xp pro i skenirao ga sa malwarebyte, avg-om, remove it pro, ali nisam siguran da li sam obrisao ovu gamd. saljem vam dds fajl

Citat:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 14:33:17.71 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1621 [GMT 2:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\administrator.DRI\Desktop\dds.com
C:\WINDOWS\SoftwareDistribution\Download\ef7050dfe7398bda5cf873e529673216\update\update.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {C77F23ED-666C-4D95-B263-91B93F63B9C4} = 10.13.74.20
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-7-23 24064]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-7-23 176640]
.
=============== Created Last 30 ================
.
2011-03-29 12:06:09 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-03-29 12:06:06 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-03-29 12:06:05 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-03-29 12:04:55 98816 ----a-w- c:\windows\sed.exe
2011-03-29 12:04:55 89088 ----a-w- c:\windows\MBR.exe
2011-03-29 12:04:55 256512 ----a-w- c:\windows\PEV.exe
2011-03-29 12:04:55 161792 ----a-w- c:\windows\SWREG.exe
2011-03-29 12:02:32 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-03-29 11:59:48 -------- d-----w- c:\windows\system32\PreInstall
2011-03-29 11:51:58 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-03-29 11:44:43 -------- d-----w- c:\windows\ServicePackFiles
2011-03-29 11:44:30 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-03-29 11:44:27 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-03-29 11:41:54 19569 ----a-w- c:\windows\002958_.tmp
2011-03-29 10:39:39 -------- d-----w- c:\docume~1\admini~1.dri\applic~1\AVG10
2011-03-29 10:38:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-29 10:37:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-29 10:28:40 -------- d-----w- c:\program files\Smart Virus Remover
2011-03-29 10:20:32 -------- d-----w- c:\program files\Trend Micro
2011-03-29 09:52:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-29 09:41:38 -------- d-----w- c:\program files\InCode Solutions
2011-03-29 08:34:50 -------- d-----w- c:\docume~1\admini~1.dri\applic~1\Malwarebytes
2011-03-29 08:34:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 08:34:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 08:34:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 08:34:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 07:58:28 -------- d-sh--w- c:\documents and settings\administrator.dri\IECompatCache
2011-03-29 07:57:23 -------- d-sh--w- c:\documents and settings\administrator.dri\PrivacIE
2011-03-15 10:05:54 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
.
==================== Find3M ====================
.
.
============= FINISH: 14:33:51.21 ===============

i combofix fajl

Citat:

ComboFix 11-03-28.05 - Administrator 03/29/2011 14:39:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1702 [GMT 2:00]
Running from: c:\documents and settings\administrator.DRI\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-29 12:33 . 2011-03-29 12:33 -------- d-----w- c:\windows\LastGood
2011-03-29 12:06 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-03-29 12:06 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-03-29 12:06 . 2010-08-13 12:53 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-03-29 12:02 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-03-29 11:44 . 2008-04-14 03:42 294912 ------w- c:\program files\Windows Media Player\dlimport.exe
2011-03-29 11:44 . 2008-04-14 03:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-03-29 11:41 . 2006-12-28 22:31 19569 ----a-w- c:\windows\002958_.tmp
2011-03-29 10:39 . 2011-03-29 10:39 -------- d-----w- c:\documents and settings\administrator.DRI\Application Data\AVG10
2011-03-29 10:38 . 2011-03-29 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-29 10:37 . 2011-03-29 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-29 10:28 . 2011-03-29 10:28 -------- d-----w- c:\program files\Smart Virus Remover
2011-03-29 10:20 . 2011-03-29 10:20 -------- d-----w- c:\program files\Trend Micro
2011-03-29 09:52 . 2011-03-29 09:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-29 09:41 . 2011-03-29 09:41 -------- d-----w- c:\program files\InCode Solutions
2011-03-29 08:34 . 2011-03-29 08:34 -------- d-----w- c:\documents and settings\administrator.DRI\Application Data\Malwarebytes
2011-03-29 08:34 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-29 08:34 . 2011-03-29 08:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-29 08:34 . 2011-03-29 08:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-29 08:34 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 07:58 . 2011-03-29 07:58 -------- d-sh--w- c:\documents and settings\administrator.DRI\IECompatCache
2011-03-29 07:57 . 2011-03-29 07:57 -------- d-sh--w- c:\documents and settings\administrator.DRI\PrivacIE
2011-03-15 10:05 . 2011-03-15 10:05 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-29_12.13.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-27 12:00 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-06-19 1044480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-07 08:55 170520 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-05-07 09:38 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-07 08:56 150040 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-07 08:56 141848 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-04-02 11:06 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [7/23/2009 2:49 PM 24064]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [7/23/2009 2:47 PM 176640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-29 c:\windows\Tasks\User_Feed_Synchronization-{4DE791EE-1E04-4175-9ABC-6CD2E3750BFC}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
2011-03-29 c:\windows\Tasks\User_Feed_Synchronization-{75B9C20B-9FA0-425B-A34B-5B342BB566C1}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {C77F23ED-666C-4D95-B263-91B93F63B9C4} = 10.13.74.20
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 14:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3433641461-923192373-1833595427-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,31,e0,b8,cd,32,2b,40,82,17,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,31,e0,b8,cd,32,2b,40,82,17,d0,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2011-03-29 14:44:21
ComboFix-quarantined-files.txt 2011-03-29 12:44
ComboFix2.txt 2011-03-29 12:14
.
Pre-Run: 37,126,090,752 bytes free
Post-Run: 37,117,530,112 bytes free
.
- - End Of File - - 74F0808184FD6012AFC063C27D52B2CC

ako iz ovih fajlova mozete da mi kazete da li je kompjuter cist
hvala

[ gogi100 @ 29.03.2011. 13:49 ] @

molim za jos jednu pomoc. imao sam jos jedan racunar pod win xp pro i skenirao ga sa malwarebyte, avg-om, remove it pro, ali nisam siguran da li sam obrisao ovu gamd. saljem vam dds fajl

Citat:

i combofix fajl

Citat:

ako iz ovih fajlova mozete da mi kazete da li je kompjuter cist
hvala