Pomoc! Virusi....

zeksiv · 24.04.2009. u 22:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:49, on 24.4.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\Desktop\PeraZdera\zmajj.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEocx Class - {06ec6572-7280-485a-a712-c380526bc048} - C:\WINDOWS\ieocx.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [01381593] C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe
O4 - HKLM\..\Run: [01662234] C:\Documents and Settings\All Users.WINDOWS\Application Data\01662234\01662234.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...0/&filename=jinstall-6u13-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: ?????? Google Update (gupdate1c9b7bc57c12942) (gupdate1c9b7bc57c12942) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7363 bytes

GostM · 25.04.2009. u 00:16

Ovako... ima par stvari koje su pod znakom pitanja (bar meni):

C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe

... ako su ti poznati ovi folderi i ovaj izvršni fajl ok, ako ne...

C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe

... isto i ovo, pojavljuje se par puta.

C:\Documents and Settings\Admin.PC-0EC8CDAADA00\Desktop\PeraZdera\zmajj.exe

... ovo je HijackThis ili ne? Ako jeste ok, ako nije...

O2 - BHO: IEocx Class - {06ec6572-7280-485a-a712-c380526bc048} - C:\WINDOWS\ieocx.dll

... ovo može > Fix Checked.

O4 - HKLM\..\Run: [01381593] C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe

... ovo isto kao i kod prve stavke.

O4 - HKLM\..\Run: [01662234] C:\Documents and Settings\All Users.WINDOWS\Application Data\01662234\01662234.exe

... isto i ovo.

O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe

... ovo može > Fix Checked.

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')

... i ovo može > Fix Checked.

Znači ono što je boldovano, ako ti je poznato o čemu se radi onda OK, ako ne ...Fix Checked.

Isključi System Restore, uđi u Safe Mode, pokreni HijackThis i štikliraj sve one stavke što su ti nepoznate iz gornjeg spiska.

Ne bi bilo loše da komp posle toga preskeniraš i sa Malwarebytes-om.

gost 13024 · 25.04.2009. u 00:26

@kolega DekiM

ovo sto si gore napisao je OK, ali i dalje nece rijesiti problem sa postojecim virusima, jer sam HT nije sposoban da obrise sve, ukljucujuci i reg, kljuceve ovih problema, tako da ce problem ponovo da se pojavi i pored iskljucenog system restore..
Ne stizem detaljno da analiziram ovaj LOg, ali ako nadjem vremena i pogledacu detaljnije..

GostM · 25.04.2009. u 00:34

Ok. Svaka dodatna pomoć je uvek dobrodošla.

zeksiv · 25.04.2009. u 09:22

C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe

Folderi su mi poznati, fajl ne....

C:\Documents and Settings\Admin.PC-0EC8CDAADA00\mscup2.exe

BitDefender mi je pokazivao da je to virus, ali sad imam NOD32 a on nista ne pokazuje.....

zeksiv · 25.04.2009. u 09:26

C:\Documents and Settings\Admin.PC-0EC8CDAADA00\Desktop\PeraZdera\zmajj.exe

Ovo je HijackThis...

O2 - BHO: IEocx Class - {06ec6572-7280-485a-a712-c380526bc048} - C:\WINDOWS\ieocx.dll

Ovo ne znam sta je....

O4 - HKLM\..\Run: [01381593] C:\Documents and Settings\All Users.WINDOWS\Application Data\01381593\01381593.exe

Ne znam sta je....

O4 - HKLM\..\Run: [01662234] C:\Documents and Settings\All Users.WINDOWS\Application Data\01662234\01662234.exe

Nemam pojma....

O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe

Nemma pojma...

O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')

Nemam pojma....

Ovako nikad nisam radio sa HijackThis - om pre, pa bojim se da nesto ne zeznem u Safe Modu, pa ako moze detaljnije objasnjenje...

zeksiv · 25.04.2009. u 09:27

ComboFix 09-04-25.03 - Admin 25.04.2009 9:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.719 [GMT 2:00]
Running from: c:\documents and settings\Admin.PC-0EC8CDAADA00\Desktop\Prijemni - MG\PeraZdera\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\comp\Favorites\Download programs.url
c:\documents and settings\comp\Favorites\Games.url
c:\documents and settings\comp\Favorites\Translator.url
c:\documents and settings\comp\Favorites\Videos.url
C:\resycled
c:\resycled\boot.com
c:\windows\IE4 Error Log.txt
c:\windows\ieocx.dll
c:\windows\jestertb.dll
c:\windows\system32\kr_done1
c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 19:58 . 2009-04-24 19:58 512096 ----a-w c:\windows\system32\drivers\amon.sys
2009-04-24 19:58 . 2009-04-24 19:58 298104 ----a-w c:\windows\system32\imon.dll
2009-04-24 19:58 . 2009-04-24 19:58 15424 ----a-w c:\windows\system32\drivers\nod32drv.sys
2009-04-24 19:48 . 2009-04-24 19:48 -------- d-----w c:\documents and settings\Admin.PC-0EC8CDAADA00\Application Data\Lavasoft
2009-04-24 18:22 . 2009-04-24 21:11 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\01662234
2009-04-24 17:49 . 2009-04-25 07:01 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\01381593
2009-04-23 12:08 . 2009-04-24 19:38 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-22 20:09 . 2009-04-24 20:36 8552 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\bv2.exe
2009-04-22 18:54 . 2009-04-22 18:54 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\2036B
2009-04-22 18:41 . 2009-04-22 18:41 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\182AF
2009-04-22 16:20 . 2009-04-24 20:36 35766 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\mscup2.exe
2009-04-22 06:49 . 2009-04-22 06:49 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\3A242
2009-04-21 17:14 . 2009-04-24 20:29 35766 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\iclose.exe
2009-04-13 15:16 . 2009-04-13 15:16 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\369C
2009-04-10 13:02 . 2009-04-10 13:03 -------- d-----w c:\windows\system32\NtmsData
2009-04-08 10:37 . 2009-04-08 10:37 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Google
2009-04-07 20:06 . 2009-04-07 20:06 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-07 20:06 . 2009-04-07 20:06 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Google
2009-04-07 20:06 . 2009-04-24 18:22 -------- d-----w c:\documents and settings\Admin.PC-0EC8CDAADA00\Application Data\skypePM
2009-04-04 12:47 . 2009-04-04 12:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-30 21:57 . 2009-04-24 18:24 -------- d-----w c:\documents and settings\Admin.PC-0EC8CDAADA00\Application Data\Skype
2009-03-30 21:57 . 2009-04-07 20:06 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 20:15 . 2008-11-27 20:29 -------- d-----w c:\program files\Eset
2009-04-23 12:02 . 2009-04-23 11:57 -------- d-----w c:\program files\Common Files\Softwin
2009-04-23 08:50 . 2008-07-12 19:26 -------- d-----w c:\program files\Winamp
2009-04-20 17:32 . 2008-12-28 14:08 -------- d-----w c:\documents and settings\Admin.PC-0EC8CDAADA00\Application Data\BearShare
2009-04-18 08:11 . 2009-04-18 08:11 -------- d-----w c:\program files\Alwil Software
2009-04-17 19:33 . 2009-04-11 17:35 -------- d-----w c:\program files\BearShare Applications
2009-04-14 12:22 . 2009-04-14 12:22 0 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\Application Data\~eu37.tmp
2009-04-07 20:07 . 2008-01-09 12:46 -------- d-----w c:\program files\Google
2009-04-07 20:06 . 2009-03-30 21:56 -------- d-----r c:\program files\Skype
2009-04-07 20:06 . 2008-01-23 18:27 -------- d-----w c:\program files\Common Files\Skype
2009-04-04 12:47 . 2008-03-09 20:41 -------- d-----w c:\program files\Java
2009-01-09 21:03 . 2008-11-28 17:56 67928 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-10 14:42 . 2008-12-10 14:42 144 ----a-w c:\documents and settings\Admin.PC-0EC8CDAADA00\Local Settings\Application Data\fusioncache.dat
2008-11-19 20:18 . 2008-11-19 20:18 322 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\Bron.tok.A16.em.bin
2008-11-15 18:23 . 2008-03-09 20:50 79680 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-27 22:00 . 2008-01-09 18:04 87608 ----a-w c:\documents and settings\comp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2008-09-02 14:05 398776 ----a-w c:\program files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-21 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2002-12-31 15360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-30 32768]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"01381593"="c:\documents and settings\All Users.WINDOWS\Application Data\01381593\01381593.exe" [2009-04-24 17:49 387641]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-04-24 949376]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"nMTaskBarService"="nMtsk.exe" - c:\windows\nMtsk.exe [2005-05-06 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2005-12-13 7094272]
"msnsc"="c:\windows\system32\msnsc.exe" [2002-12-31 62054]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 gupdate1c9b7bc57c12942;?????? Google Update (gupdate1c9b7bc57c12942);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 133104]
R3 a016bus;Sony Ericsson Device A016 driver (WDM);c:\windows\system32\DRIVERS\a016bus.sys [2008-01-18 83880]
R3 a016mdfl;Sony Ericsson Device A016 USB WMC Modeme Filter;c:\windows\system32\DRIVERS\a016mdfl.sys [2008-01-18 15016]
R3 a016mdm;Sony Ericsson Device A016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\a016mdm.sys [2008-01-18 110504]
R3 a016mgmt;Sony Ericsson Device A016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\a016mgmt.sys [2008-01-18 104488]
R3 a016obex;Sony Ericsson Device A016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\a016obex.sys [2008-01-18 100648]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-04-24 15424]

--- Other Services/Drivers In Memory ---

*Deregistered* - gupdate1c9b7bc57c12942
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 20:06]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-12CFG914-K641-26SF-N32P - c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
HKLM-Run-01662234 - c:\documents and settings\All Users.WINDOWS\Application Data\01662234\01662234.exe

zeksiv · 25.04.2009. u 09:28

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 09:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\imon.dll
.
Completion time: 2009-04-25 9:14
ComboFix-quarantined-files.txt 2009-04-25 07:14

Pre-Run: 5.695.668.224 bytes free
Post-Run: 7.457.251.328 bytes free

151

niceboy · 25.04.2009. u 11:09

Fixaj sve sto ti je nepoznato,ali verovatno nece moci hjt to da odradi,pa ne bi bilo lose da nadjes i pogasis servise(stop i disable) i procese od ovih gluposti,pa onda fix.
A mogao bi i da napises sta te konkretno muci.

zeksiv · 25.04.2009. u 11:18

Odradio sam skeniranje sa NOD32 i izbrisao mi je 6 nekih virusa ili sta vec...Culi su mi se neki zvuci - kao neke radio stanice kada sam na netu....IE mnogo sporo radi....Kad ukljucim racunar pojavljuju mi se dve greske SetWindowPos Failed i Error code 1406...

gost 13024 · 25.04.2009. u 16:44

@niceboy
Molim te nemoj da dajes vise ovakve savjete..

Covjek je izlistao i HT log i CF log koje treba analizirati i dati rjesenje..
Ono sto si napisao nema veze sa problemom koji ovde postoji..
Na kratko sam usao, pa cim stignem da pogledam log detaljnije cu da napisem resenje..

gost 13024 · 25.04.2009. u 18:53

Nek ti ne bude lijeno, preimenuj Hijak This, u bilo koje drugo, i posatavi nam ponovo log..
Imam sumnje da je jos ostalo nekih zlocestih stvari, a nisam siguran tacno, pa da vidimo dalje..

I da li koristis Avast AV, ili da li si koristio AVAST???

zeksiv · 25.04.2009. u 19:38

GZ:
Nek ti ne bude lijeno, preimenuj Hijak This, u bilo koje drugo, i posatavi nam ponovo log..
Imam sumnje da je jos ostalo nekih zlocestih stvari, a nisam siguran tacno, pa da vidimo dalje..

I da li koristis Avast AV, ili da li si koristio AVAST???

Promenio sam mu ime kad sam radio taj log, koristio sam Avast...

gost 13024 · 25.04.2009. u 19:54

Pored NOD-a, imas li i dalje Avast???
Nije preporucljivo da rade dva av programa istovremeno..

Jedan obavezno uninstaliraj, i daj HT log ponovo..

zeksiv · 26.04.2009. u 12:15

Avast nemam vise....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:49, on 26.4.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin.PC-0EC8CDAADA00\Desktop\Prijemni - MG\PeraZdera\zmajj.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JS...0/&filename=jinstall-6u13-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: ?????? Google Update (gupdate1c9b7bc57c12942) (gupdate1c9b7bc57c12942) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6047 bytes

gost 13024 · 26.04.2009. u 15:07

Log je cist..
S tim da jos bi trebalo da pogledas i viska Windows startup procese, koji ti opterecuju komp..

Ako imas jos pitanja pitaj..

Pomoc! Virusi....

zeksiv

Ističe se

GostM

Ističe se

gost 13024

Domaćin

GostM

Ističe se

zeksiv

Ističe se

zeksiv

Ističe se

zeksiv

Ističe se

zeksiv

Ističe se

niceboy

Elita

zeksiv

Ističe se

gost 13024

Domaćin

gost 13024

Domaćin

zeksiv

Ističe se

gost 13024

Domaćin

zeksiv

Ističe se

gost 13024

Domaćin

Slične teme