Za dr Boru !!! Virus: malware Win32: Zlober [Drp]

I

Ivan-Pirot

Početnik
Poruka
43
Pozdrav za dr Boru,
Imam problem sa virusom čije je ime: malware Win32: Zlober [Drp], tipa: Kukavičje jaje, koji se aktivira samo kada se konektujem na internet. Stalno se klonira i pravi probleme. Njega uvek detektuje AV program Avast, koji koristim, i smeštam ga u kovčeg.
Pročitao sam Vaše uputstvo za samostalno otklanjanje problema u vezi malware-a.
Koristio sam:
AV Avast 4.7 home version,
Spybot-Search & Destroy (skeniran iz Safe Mode-a),
Ad-Aware SE Personal,
Spyware Terminator.

Rezultat je NEGATIVAN. Nemože da se otkloni virus.
Koristim Dial-up conection za pristupanje internetu.

Po vašem uputstvu iskoristio sam program Hijack This i nakon sprovedene procedure izašao je sledeći log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:58, on 25.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDA\ida.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
D:\Install\Pomoc na FORUM-u\Pomoc preko FORUM-a.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Pozdrav od zabrinutog studenta. :confused::confused::confused::confused:
 
Preuzmi ComboFix sa jednog od sledećih linkova i sačuvaj ga na Desktop-u:
download link 1, download link 2
  • Privremeno isključi AV program kako ne bi ometao proces čišćenja
  • Dvoklikom pokreni ComboFix.exe i isprati uputstva
  • Nemoj klikati mišem u prozoru ComboFix-a dok radi!
  • Kada proces bude završen, logfile C:\ComboFix.txt će se otvoriti u Notepad-u
  • Iskopiraj sadržaj tog logfile-a u temu na forumu
 
Nakon korišćenja programa ComboFix dobijen je Logfile:

ComboFix 07-11-19.3 - User 2007-11-25 15:06:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.67 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 36 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\ravmonlog

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-25 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-11-23 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-23 21:00 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tehnicki fakultet u Boru
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-23 20:59 <DIR> d-------- C:\WINDOWS\Sun
2007-11-23 20:59 <DIR> d-------- C:\Program Files\RichVideoCodec
2007-11-23 20:59 <DIR> d-------- C:\Documents and Settings\User\Application Data\WtmCDProtect
2007-11-23 18:53 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-23 18:31 <DIR> d-------- C:\Program Files\Crawler
2007-11-23 18:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-23 18:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2007-11-18 12:59 <DIR> d-------- C:\Program Files\Multimedia Protector Premium
2007-11-16 18:19 <DIR> d---s---- C:\Documents and Settings\User\UserData
2007-11-16 17:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
2007-11-16 15:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\HP
2007-11-16 14:55 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2007-11-16 14:55 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-16 14:55 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2007-11-16 14:55 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-11-16 14:53 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-11-16 14:53 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-11-16 14:53 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-11-16 14:53 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-11-16 14:53 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-11-16 14:53 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-11-16 14:52 <DIR> d-------- C:\Program Files\HP
2007-11-16 14:49 31,744 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-16 14:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-16 14:47 117,699 --a------ C:\WINDOWS\hpoins11.dat
2007-11-16 10:41 204,800 -ra------ C:\WINDOWS\nMconfig.exe
2007-11-16 10:41 62,824 -ra------ C:\WINDOWS\system32\drivers\nMUSB.sys
2007-11-16 10:41 45,056 -ra------ C:\WINDOWS\system32\nMenum.dll
2007-11-16 10:41 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-11-16 10:41 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2007-11-11 11:55 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-11-05 17:34 <DIR> d-------- C:\Program Files\Wtm CD Protect
2007-10-29 20:26 <DIR> d-------- C:\Program Files\Common Files\SolidDocuments
2007-10-29 20:26 20,569 --a------ C:\WINDOWS\system32\pxc25pm.dll
2007-10-29 20:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\SolidDocuments
2007-10-29 19:09 <DIR> d-------- C:\Program Files\SolidDocuments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 20:00 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-23 19:59 --------- d-----w C:\Program Files\SmartDraw 2008
2007-11-23 19:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-23 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-23 13:21 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2007-11-23 12:59 --------- d-----w C:\Program Files\QMwin32
2007-11-04 18:58 --------- d-----w C:\Program Files\PDFCreator
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-30 15:31 --------- d-----w C:\Program Files\Google
2007-09-28 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-28 14:23 --------- d-----w C:\Program Files\ROUTE66
2007-09-28 07:46 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
2007-09-28 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-25 11:57 --------- d-----w C:\Program Files\Ahead
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [2006-12-15 16:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 04:15 C:\WINDOWS\system32\VTTrayp.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 06:01 C:\WINDOWS\sm56hlpr.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 14:42 C:\WINDOWS\soundman.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-04 20:29]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 17:20]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 17:00]
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2006-07-18 15:24]
"WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2006-07-18 15:23]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-23 18:53]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 16:45:42]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-07-16 19:51:55]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe -PermissionManagerRun
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
S3 netModUSBService;Service for netMod USB CAPI Driver;C:\WINDOWS\system32\drivers\nMUSB.sys
S3 TridVid;Trident Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys
S4 Csdssfacxnt;Csdssfacxnt;C:\WINDOWS\system32\drivers\http.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 12:00:12 C:\WINDOWS\Tasks\Automatic Updates Checking for Multimedia Protector.job"
- C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 15:07:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.]
.
Completion time: 2007-11-25 15:08:27
.
--- E O F ---
 
Isključi AV pre sledećeg koraka.

Preuzmi SmitfraudFix.

  • Restartuj kompjuter u Safe Mode (pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija)
  • Dvoklikom pokreni SmitfraudFix.exe
  • Izaberi opciju #2 - Clean kucajući 2 i Enter
  • Sačekaj da se čišćenje i Disk Cleanup završe
  • Biće ti postavljeno pitanje: "Registry cleaning - Do you want to clean the registry ?" odgovori "Yes" kucajući Y i Enter
  • Program će takođe proveriti da li je wininet.dll inficiran. Ukoliko jeste, bićeš upitan(a) oko zamene wininet.dll. Odgovori "Yes" na pitanje "Replace infected file ?" kucajući Y i Enter

Možda će biti potreban restart da bi se završio proces čišćenja; ukoliko se kompjuter automatski ne restartuje, ti to učini.
Ovaj program će napraviti logfile C:\rapport.txt koji je potrebno iskopirati u temu na forumu.


Nakon svega postavi i novi HT log.
 
Nakon čišćenja log file je:

SmitFraudFix v2.254

Scan done at 17:47:20,53, ??? 25.11.2007
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\RichVideoCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Novi HT log file je:

Logfile of HijackThis v1.99.1
Scan saved at 17:53:51, on 25.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\IDA\ida.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Install\Pomoc na FORUM-u\Pomoc preko FORUM-a.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
 
Mislim da se u međuvremenu još jednom pojavio malware.
Siguran sam jer je ovog trenutka, počući ovu poruku, opet detektovan od strane AV Avast! 4.7 i smestio sam ga u kovčeg.

Inače, Wtm CD protect sam u prvoj varijanti hteo da instaliram ali nije radio korektno. Hoću da ga se oslobodim zauvek. Neću više da ga vidim ni u tragovima. Možda je odatle i došao ovaj problem.
Molim te daj mišljenje o tome, i kako da uklonim sve fajlove u vezi Wtm CD protect-a.

Zahvalan Ivan iz Pirota.
 
Pogledaj molim te šta sam ptonašao na internetu.
Nisam baš najsigurniji, zbog skromnog znanja engleskog jezika, ali i oni predlažu neku sličnu proceduru za uklanjanje virusa.

Colby:
I keep getting this virus Thing :o

File name: c:docume~1\user\LOCAS~1\temp\BIT89F.tpm
Malewrae name : Win32:Zlober [Drp]
Type: Dropper
VPS Version 000780-2 10/11/2007

i have tryed deleting, moving/renaming, And Moving it to chest, And taking no action And It KEEPS Coming Back GRRRRR

Tech:
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Colby:
So far it working Thanks

DavidR:
What would be helpful to others is what tools did you try and what results were found.
What was the malware name, the infected file/s name and where it was located, e.g. (C:\windows\system32\infected-file-name.***) ?

If malware is found, then if possible you should send samples to avast so that detections can be improved.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Welcome to the forums.

GrahamE:
Quote from: Tech on October 11, 2007, 11:15:09 PM

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.



Ok, I'm sorry that I'm going off at a slight tangent here, but after your recommendation, I downloaded and installed this 'Windows Advanced Care' program.
It tells me that I have no infections, but that I should immunise about 34,000 items. Why? If so far, my security has held up okay, why do I need to immunise 34,000 (YES!! 34 THOUSAND!!) items??

Most importantly I feel, why, in regard to Startup items, is it telling me to remove startup entries for:

AVAST4/ASHDISP.EXE
ZoneAlarm
SpywareTerminator
ATI Graphics card

This is one weird program for you to be recommending!??!
 
Pa kada Avast nešto detektuje, sigurno će ispisati lokaciju/naziv file-a.
Moguće je i da to možeš videti i u samom ''kovčegu''.

Što se tiče ovog uputstva... Možeš odraditi Boot time scan, ako želiš (mada, ako se file uporno vraća, to neće pomoći).

U principu, ja bih vrlo rado video kopiju toga što avast detektuje. Hajde proveri da li je moguće kopirati file-ove iz kovčega.
 
Prvo sam deinstalirao i pobrisao sve programe koje sam smatrao za sumnjivim.

Prilikom detaljnog skeniranja pomoću AV programa Avast! nisu pronađeni nikakvi virusi. Jedino što je u izveštaju dao to su fajlovi koje nije mogao da skenira jer su zaključani i nije mogao da im priđe. Takođe su se tu pojavila nekoliko fajla koje je on proglasio za tempirane bombe, i njih nije skenirao.

Takođe sam računar skenirao pomoću softvera: Ad-Aware SE Personal, Spybot S&D, Spyware Terminator. Ni jedan nije pronašao ozbiljniji problem. Neki kolačići su pronađeni koji su popravljeni ili pobrisani.

Problem sa virusom malware Win32: Zlober [Drp] i dalje postoji. On se pojavljuje kada se konektujem na internet. Njega detektuje AV Avast i odmah predlaže da ga smestim u kovčeg. Ali to je neki temporalni fajl (putanja Temp folder).

Šta da radim? Koji je tvoj savet?
Da li da pokrenem AV Avast (da mu dam naredbu da skenira) iz DOS-a prilikom podizanja sistema ?
 
Ovako... Nisam baš siguran kako avast funkcioniše, pa ti ne mogu precizno reći.

Proveri u ''kovčegu'' da li postoji opcija da se ti file-ovi koje si tamo prebacio kopiraju negde drugo. Ako postoji, onda to i uradi.

Ako ne postoji takva mogućnost, onda uradi sledeće: idući put kada ti AV prijavi malware, ''reci'' mu da ga ostavi gde jeste, tj. da ga ne briše.
Nakon toga, u Windows Explorer-u, Tools meni: Folder options: na View tabu:
-obeleži Show hidden files and folders
-dečekiraj Hide protected operating system files (Recommended).

Sada pronađi taj file koji je detektovan u ovom folderu:

C:\Documents and settings\User\Local settings\Temp\

kopiraj ga negde drugo, zipuj i priloži uz poruku.

Želim da vidim ovaj file kako bih za početak proverio da li je uopšte maliciozan, i ako jeste, kako bih imao bolji uvid u ono što ovde pravi probleme.

Btw, da li ti je Avast ažuriran?
 
Ponovo ćemo koristiti SmitFraudFix. Ovaj koji trenutno imaš, obriši i skini novi (ažuriran je u međuvremenu). Isključi Avast pre skidanja.

Preuzmi SmitfraudFix.

  • Restartuj kompjuter u Safe Mode (pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija)
  • Dvoklikom pokreni SmitfraudFix.exe
  • Izaberi opciju #2 - Clean kucajući 2 i Enter
  • Sačekaj da se čišćenje i Disk Cleanup završe
  • Biće ti postavljeno pitanje: "Registry cleaning - Do you want to clean the registry ?" odgovori "Yes" kucajući Y i Enter
  • Program će takođe proveriti da li je wininet.dll inficiran. Ukoliko jeste, bićeš upitan(a) oko zamene wininet.dll. Odgovori "Yes" na pitanje "Replace infected file ?" kucajući Y i Enter

Možda će biti potreban restart da bi se završio proces čišćenja; ukoliko se kompjuter automatski ne restartuje, ti to učini.
Ovaj program će napraviti logfile C:\rapport.txt koji je potrebno iskopirati u temu na forumu.

Nakon toga postavi i novi HT log.
 
Novi log nakon korišćenja SmitfraudFix-a je:

SmitFraudFix v2.255

Scan done at 19:39:01,68, ??? 26.11.2007
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Novi HT log je:

Logfile of HijackThis v1.99.1
Scan saved at 19:49:45, on 26.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\WinDVR3\WinRemote.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\IDA\ida.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
D:\Install\Pomoc na FORUM-u\1-HijeckThis\Pomoc preko FORUM-a.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR3\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Mirage Computer Systems: Multimedia Protector update permissions manager. 14007. - Unknown owner - C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
 
Sve čisto... Ne vidim šta pravi ove file-ove.

Reci mi, koji Avast-ov modul ti ovo prijavljuje(Web Shield ili...)?
Jel' bi mogao da napraviš screenshot kada ti prikaže detekciju?

Odradi i ovo:

Preuzmi Gmer.
  • Raspakuj arhivu u neki folder
  • Dvoklikom pokreni gmer.exe
  • Na Rootkit tabu, klikni na taster Scan
  • Kada skeniranje bude gotovo, klikni na taster Save ... i sačuvaj log kao file1.txt
  • Klikni na taster >>> kako bi omogućio pristup ostalim tab-ovima
  • Na AutoStart tab-u, klikni na taster Scan
  • Kada skeniranje bude gotovo, klikni na taster Copy (time ćeš log iskopirati u Clipboard)
  • Otvori Notepad, nalepi kopirani log i sačuvaj ga kao file2.txt
  • file1.txt i file2.txt priloži uz iduću poruku
 
Novi log je:

ComboFix 07-11-19.4 - User 2007-11-27 23:07:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.134 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 17:27 <DIR> d-------- C:\unzipped
2007-11-25 17:47 2,982 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-25 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-11-25 11:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-25 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2007-11-23 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-23 21:00 <DIR> d-------- C:\Program Files\Common Files\HP
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tehnicki fakultet u Boru
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-11-23 20:59 <DIR> d-------- C:\WINDOWS\Sun
2007-11-23 20:59 <DIR> d-------- C:\Documents and Settings\User\Application Data\WtmCDProtect
2007-11-23 18:53 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-23 18:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-23 18:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2007-11-18 12:59 <DIR> d-------- C:\Program Files\Multimedia Protector Premium
2007-11-16 18:19 <DIR> d---s---- C:\Documents and Settings\User\UserData
2007-11-16 17:36 <DIR> d-------- C:\Documents and Settings\User\Application Data\Image Zone Express
2007-11-16 15:01 <DIR> d-------- C:\Documents and Settings\User\Application Data\HP
2007-11-16 14:55 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2007-11-16 14:55 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-16 14:55 48,128 --a------ C:\WINDOWS\system32\hpzll054.dll
2007-11-16 14:55 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-11-16 14:53 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-11-16 14:53 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-11-16 14:53 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-11-16 14:53 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-11-16 14:53 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-11-16 14:53 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-11-16 14:52 <DIR> d-------- C:\Program Files\HP
2007-11-16 14:49 31,744 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-16 14:49 31,744 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-16 14:47 117,699 --a------ C:\WINDOWS\hpoins11.dat
2007-11-16 10:41 204,800 -ra------ C:\WINDOWS\nMconfig.exe
2007-11-16 10:41 62,824 -ra------ C:\WINDOWS\system32\drivers\nMUSB.sys
2007-11-16 10:41 45,056 -ra------ C:\WINDOWS\system32\nMenum.dll
2007-11-16 10:41 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-11-16 10:41 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2007-11-11 11:55 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-11-05 17:34 <DIR> d-------- C:\Program Files\Wtm CD Protect
2007-10-29 20:26 <DIR> d-------- C:\Program Files\Common Files\SolidDocuments
2007-10-29 20:26 20,569 --a------ C:\WINDOWS\system32\pxc25pm.dll
2007-10-29 20:23 <DIR> d-------- C:\Documents and Settings\User\Application Data\SolidDocuments
2007-10-29 19:09 <DIR> d-------- C:\Program Files\SolidDocuments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 20:00 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-23 19:59 --------- d-----w C:\Program Files\SmartDraw 2008
2007-11-23 19:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-23 19:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-23 13:21 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2007-11-23 12:59 --------- d-----w C:\Program Files\QMwin32
2007-11-04 18:58 --------- d-----w C:\Program Files\PDFCreator
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-30 15:31 --------- d-----w C:\Program Files\Google
2007-09-28 14:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-28 14:23 --------- d-----w C:\Program Files\ROUTE66
2007-09-28 07:46 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
2007-09-28 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_15.07.58,43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-26 19:49:52 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-11-26 19:49:52 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-11-26 16:02:43 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
"Internet Download Accelerator"="C:\Program Files\IDA\ida.exe" [2006-12-15 16:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 04:15 C:\WINDOWS\system32\VTTrayp.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 06:01 C:\WINDOWS\sm56hlpr.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 14:42 C:\WINDOWS\soundman.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-04 20:29]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 17:20]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 17:00]
"WinDVR SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2006-07-18 15:24]
"WinRemote"="C:\Program Files\InterVideo\WinDVR3\WinRemote.exe" [2006-07-18 15:23]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-23 18:53]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-08 16:45:42]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-07-16 19:51:55]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.;C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe -PermissionManagerRun
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
S3 netModUSBService;Service for netMod USB CAPI Driver;C:\WINDOWS\system32\drivers\nMUSB.sys
S3 TridVid;Trident Analog Video;C:\WINDOWS\system32\DRIVERS\TridVid.sys
S4 Csdssfacxnt;Csdssfacxnt;C:\WINDOWS\system32\drivers\http.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 12:00:12 C:\WINDOWS\Tasks\Automatic Updates Checking for Multimedia Protector.job"
- C:\Program Files\Multimedia Protector Premium\1.3\checkupdmp.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 23:09:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Mirage Computer Systems: Multimedia Protector update permissions manager. 14007.]
.
Completion time: 2007-11-27 23:09:49
.
--- E O F ---
 
Prijavite se ili registrujte da biste poslali poruku.

Slične teme

M
Preporuke za igre na slabijim računarima?
Odgovora
4
Pregleda
285
Meklaud
Meklaud

Back
Top