Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Zilav virus ili trojanac

[es] :: Zaštita :: Zilav virus ili trojanac

Strane: 1 2 3

[ Pregleda: 14524 | Odgovora: 51 ] > FB > Twit

Postavi temu Odgovori

Autor
Pretraga teme: Traži
Markiranje Štampanje RSS

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Zilav virus ili trojanac13.09.2009. u 20:22 - pre 177 meseci
Pozdrav,

Mucim se sa nekim nepoznatim virusom koji ne dozvoljava da se antivirusi poput Kasperskog, AVG-a i firewall-a ZoneAlarm uopste startuju.

Takodje stalno mi brise prava da startujem regedit kao i taskmanager. Vratio sam ta prava, poubijao sam skoro sve taskove ali ih i dalje brise.

Ne znam da li je to do interneta, ail nece cak ni da otvori stranicu www.pandasecurity.com ?!?

Da li ima pomoci protiv ovog virusa/trojanca/crva?

Razmisljam da re-instaliram ceo sistem, ali bi mi mozda pomoglo sa transferom i back-upom ako ocistim trenutni sistem.

Pozdrav i hvala
 
Odgovor na temu

magna86
Anti Malware Fighter

Član broj: 189287
Poruke: 557

Sajt: www.mycity.rs/Ambulanta


+16 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:32 - pre 177 meseci
Za pocetak procitaj Top temu "Upustva za koriscenje programa: HijackThis / ComboFix
"
i postavi HijackThis log po uputstvu


http://www.itfix.biz/images/Malware.JPG
 
Odgovor na temu

icobh
Igor Pejašinović
Network Admin
Navigo SC d.o.o.
Banja Luka

Član broj: 18738
Poruke: 1319
62.68.118.*

Sajt: www.nsc.ba


+4 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:37 - pre 177 meseci
Hmm. A jesi li pokušao ubiti Explorer? Mislim da ti je Explorer povukao neki maliciozni plugin ili je inficiran...
I ♥ ♀

Ovaj post je zlata vrijedan!
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:48 - pre 177 meseci
Evo report-a iz HiJack-a:

Citat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:04 PM, on 9/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Win\lsass.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

--
End of file - 5882 bytes


Nadam se da ce pomoci.

PS. Probacu da ugasim explorer pa da probam da startujem Task Manager uz pomoc CTRL+ALT+DEL
 
Odgovor na temu

Boris

Član broj: 82
Poruke: 450

ICQ: 100801505


+2 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:48 - pre 177 meseci
Ili pokušati iz Safe Moda da pokreneš nešto od toga...??
[::b0ris::]
 
Odgovor na temu

icobh
Igor Pejašinović
Network Admin
Navigo SC d.o.o.
Banja Luka

Član broj: 18738
Poruke: 1319
62.68.118.*

Sajt: www.nsc.ba


+4 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:53 - pre 177 meseci
Sumnjivo:

Code:
C:\Win\lsass.exe
C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe

O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe


To pokušaj nekako izbrisati/fixovati
I ♥ ♀

Ovaj post je zlata vrijedan!
 
Odgovor na temu

Boris

Član broj: 82
Poruke: 450

ICQ: 100801505


+2 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 20:56 - pre 177 meseci
Probaj to da ochistish pa uradi ponovo scan:


C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe
C:\Win\lsass.exe
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe

Verovatno cesh tu imati malo cimanja jer verovatno ovaj hpash.exe vraća C:\Win\lsass.exe u život kad ga izbrišeš... A možda i ne :D
[::b0ris::]
 
Odgovor na temu

kristi1

Član broj: 151211
Poruke: 2012
*.ptt.rs.

Sajt: www.mycity.rs/Ambulanta


+88 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 21:06 - pre 177 meseci
@Bokacio sacekaj da ti magna odradi, nemoj nista da cackas.
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 21:09 - pre 177 meseci
Samo da napomenem da mi SafeMode ne radi. Da li je to delo virusa, nisam siguran.

Pokusavam sad da nadjem hpash ali ga nigde nema (trazio u C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe)

I dalje mi blokira Task Manager i Regedit. lsass se pojavio kao sistemski proces i ne da mi da ga End-Task.

Uspeo sam da startujem Malvare Bytes i on je kao nasao lsass, ali virus kao da je i dalje startovan jer svakih par sekundi zakljucava pristup Task Manager-u i Regedit-u.
 
Odgovor na temu

kristi1

Član broj: 151211
Poruke: 2012
*.ptt.rs.

Sajt: www.mycity.rs/Ambulanta


+88 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 21:28 - pre 177 meseci
Skini Combofix na Desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Ugasi Kaspera
Pokreni Combofix sa desktopa, i na svako pitanje klikni Yes ili Ok
Kad zavrsi skeniranje zakaci log koji dobijes.
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 22:21 - pre 177 meseci
Moracu ponovo da pokrenem Combofix, zakucao se na stage_50.

Jos da napomenem da ne mogu da otvorim neke AV sajtove dok je virus aktivan.
 
Odgovor na temu

icobh
Igor Pejašinović
Network Admin
Navigo SC d.o.o.
Banja Luka

Član broj: 18738
Poruke: 1319
62.68.118.*

Sajt: www.nsc.ba


+4 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 22:31 - pre 177 meseci
Skini Avira Rescue CD Iso image, sprži na cd, boot-uj računar sa tim CD-om i očisti PC. Tako ti je najlakše.
I ♥ ♀

Ovaj post je zlata vrijedan!
 
Odgovor na temu

Milos911
Serbia

Član broj: 219127
Poruke: 1230
*.telenor.co.yu.



+303 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 22:53 - pre 177 meseci
Citat:
lsass se pojavio kao sistemski proces i ne da mi da ga End-Task.

Nije se pojavio, nego je uvek bio tu. On i jeste sistemski proces, ali se nalazi u widows/?? folderu. A ne u win. Taj u win je virus.
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac13.09.2009. u 23:58 - pre 177 meseci
Hvala na odgovorima,

Problem je sto taj Win folder ne postoji, pa ne mogu da nadjem taj dupil lsass.exe. Izgleda da se radi o nekom sofisticiranom virusu. Voleo bih da ga se resim pre nego sto startujem novu instalaciju. I dalje, posle ComboFix-a se ovaj virus nalazi u memoriji.

Evo ComboFix izvestaja:

Citat:

ComboFix 09-09-13.04 - Bojan 09/13/2009 23:25.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.408 [GMT 2:00]
Running from: c:\documents and settings\Bojan\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bojan\Application Data\EurekaLog
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\Bojan\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:42 . 2009-09-13 16:42 -------- d-----w- c:\documents and settings\Bojan\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:41 . 2009-09-13 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 16:41 . 2009-09-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:17 . 2009-09-13 16:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-13 16:17 . 2009-09-13 16:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-13 15:55 . 2009-09-13 15:55 -------- d-----w- c:\documents and settings\Bojan\Application Data\AVG8
2009-09-13 15:54 . 2009-09-13 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-13 14:42 . 2009-09-13 14:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-11 20:44 . 2009-09-11 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{BBD31133-40F8-4B57-9BA6-DB76C03D153B}
2009-09-09 21:33 . 2009-09-09 21:33 -------- d-----w- c:\program files\iPod
2009-09-09 21:33 . 2009-09-09 21:34 -------- d-----w- c:\program files\iTunes
2009-09-09 19:13 . 2009-09-09 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 13:57 . 2009-09-13 19:46 -------- d-----r- C:\Win
2009-09-06 12:29 . 2009-09-06 12:29 -------- d-----w- c:\documents and settings\Bojan\Application Data\TuneUp Software
2009-09-06 12:28 . 2009-09-06 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-09-06 12:27 . 2009-09-06 12:27 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-29 22:43 . 2009-08-29 22:43 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\RagdollSoft
2009-08-29 22:42 . 2009-08-29 22:43 -------- d-----w- c:\program files\Rubber Ninjas Demo
2009-08-28 03:17 . 2009-08-28 03:17 -------- d-----w- c:\program files\Scs4b5t
2009-08-27 03:16 . 2009-08-27 03:16 -------- d-----w- c:\program files\Psygnosis
2009-08-27 03:04 . 2009-08-27 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-27 03:04 . 2009-08-27 03:05 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-27 02:54 . 2009-08-27 02:54 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-27 02:54 . 2009-08-27 02:54 -------- d-----w- c:\documents and settings\Bojan\Application Data\DAEMON Tools Pro
2009-08-19 22:49 . 2009-08-19 22:49 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\PunkBuster
2009-08-19 22:32 . 2009-09-13 16:51 -------- d-----w- c:\documents and settings\Bojan\Application Data\id Software
2009-08-19 20:29 . 2009-08-19 20:29 -------- d-----w- c:\program files\Zone Labs
2009-08-19 19:24 . 2009-08-19 19:24 437365 ----a-w- c:\temp\maindemo.zip
2009-08-19 19:23 . 2009-08-19 19:23 211329 ----a-w- c:\temp\inspector_demo.zip
2009-08-19 19:23 . 2009-08-19 19:23 215439 ----a-w- c:\temp\nextgrid_demo2.zip
2009-08-19 19:23 . 2009-08-19 19:23 286464 ----a-w- c:\temp\nextgrid_demo.zip
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\MediaMonkey
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\program files\MediaMonkey
2009-08-15 00:10 . 2009-08-15 00:10 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 22:16 . 2008-05-11 10:36 -------- d-----w- c:\documents and settings\Bojan\Application Data\Skype
2009-09-13 17:15 . 2009-06-08 17:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-13 17:15 . 2009-06-08 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-13 16:11 . 2009-06-08 17:43 -------- d-----w- c:\documents and settings\Bojan\Application Data\VMware
2009-09-13 16:10 . 2008-05-07 20:09 -------- d-----w- c:\program files\Common Files\Logitech
2009-09-13 15:21 . 2008-12-29 21:54 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-13 15:21 . 2008-04-02 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 15:02 . 2008-05-11 10:38 -------- d-----w- c:\documents and settings\Bojan\Application Data\skypePM
2009-09-13 15:00 . 2009-06-08 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-11 16:05 . 2008-08-25 09:39 -------- d-----w- c:\documents and settings\Bojan\Application Data\uTorrent
2009-09-10 01:12 . 2008-06-24 13:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 21:35 . 2008-04-08 09:57 -------- d-----w- c:\documents and settings\Bojan\Application Data\Apple Computer
2009-09-09 21:33 . 2008-04-08 09:55 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 21:32 . 2009-02-07 17:06 -------- d-----w- c:\program files\QuickTime
2009-09-09 21:04 . 2008-04-03 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-09 19:10 . 2008-09-12 17:44 -------- d-----w- c:\program files\Bonjour
2009-09-01 00:36 . 2008-12-14 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Embarcadero
2009-08-19 20:29 . 2008-04-02 16:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-14 21:14 . 2009-08-14 21:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-14 21:05 . 2008-04-02 16:02 -------- d-----w- c:\program files\Windows Media Connect
2009-08-09 15:39 . 2009-05-08 13:05 18 ----a-w- c:\windows\popcinfot.dat
2009-08-09 15:39 . 2009-05-08 13:23 14 ----a-w- c:\windows\popcinfo.dat
2009-08-05 13:31 . 2008-05-29 17:40 4608 ----a-w- c:\windows\system32\bbchlp.dll
2009-08-05 13:31 . 2008-05-29 17:40 4096 ----a-w- c:\windows\system32\drivers\bbcap.sys
2009-08-05 13:31 . 2008-05-29 17:40 30720 ----a-w- c:\windows\system32\bbcap.dll
2009-08-05 09:11 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 20:14 . 2008-04-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-27 20:11 . 2009-07-27 20:11 -------- d-----w- c:\program files\Adobe Media Player
2009-07-26 19:19 . 2009-07-26 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Blueberry
2009-07-26 19:18 . 2009-07-26 19:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6B71DDD0-B12C-4427-A1DE-A57327178878}
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Common Files\Blueberry Software
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Blueberry Software
2009-07-26 19:17 . 2008-05-29 17:41 -------- d-----w- c:\documents and settings\Bojan\Application Data\Blueberry
2009-07-25 18:46 . 2009-07-25 18:41 -------- d-----w- c:\program files\Quake III Arena
2009-07-25 18:42 . 2009-07-25 18:42 -------- d-----w- c:\program files\Mplayer
2009-07-19 14:37 . 2009-07-19 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-07-17 18:55 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 13:48 . 2009-07-03 13:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 13:45 . 2009-07-03 13:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-28 12:46 . 2008-04-02 17:03 60408 ----a-w- c:\documents and settings\Bojan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 18:36 . 2006-02-28 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-28 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-28 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-28 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-28 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-28 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-28 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-28 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-28 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-28 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-02-28 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:17 . 2006-02-28 12:00 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-28 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-28 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:17 . 2006-02-28 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-02-28 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-02-28 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-02-28 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2006-02-28 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 18:48 . 2009-06-21 18:48 51760 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-19 21:03 . 2009-06-19 20:56 78884 ----a-w- c:\windows\hpfins05.dat
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 839769]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 274432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1385808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-3 187392]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 663613]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 13:52 389120 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^Product Registration.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\Product Registration.lnk
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^santa.bat]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\santa.bat
backup=c:\windows\pss\santa.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^WingsStart.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\WingsStart.lnk
backup=c:\windows\pss\WingsStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"mi-raysat_3dsmax2010_32"=2 (0x2)
"LightScribeService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"PersonalSecureDriveService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"IFXTCS"=2 (0x2)
"IFXSpMgtSrv"=2 (0x2)
"idsvc"=3 (0x3)
"hpqwmiex"=2 (0x2)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BlackfishSQL"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\hqtray.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"=
"c:\\Program Files\\ProtectTools\\Embedded Security Software\\PSDrt.exe"=
"c:\\Programs\\Process\\procexp.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTServs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\PowerISO\\PWRISOVM.EXE"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [10/25/2005 8:10 PM 35488]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 2:00 PM 14336]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nlomog.sys --> c:\windows\system32\drivers\nlomog.sys [?]
R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [5/29/2008 7:40 PM 4096]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/2/2008 4:46 PM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/10/2005 3:26 PM 35968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [5/1/2009 11:58 PM 30336]
S4 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [8/29/2008 9:00 PM 65536]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003Core.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003UA.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Bojan\Application Data\Mozilla\Firefox\Profiles\uyzmc3lw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 00:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\nlomog.sys 5669 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-73586283-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:58,a1,1c,56,28,3e,69,da,dd,cc,bd,36,50,f7,60,7f,02,00,dc,94,de,
57,2a,7e,cc,a9,30,41,ae,ca,b6,a9,50,a8,ca,e1,8f,55,84,ad,4a,7e,44,f0,e1,6d,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1028)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\dllhost.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\inetsrv\davcdata.exe
.
**************************************************************************
.
Completion time: 2009-09-13 0:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 22:43

Pre-Run: 18,916,556,800 bytes free
Post-Run: 19,329,462,272 bytes free

356 --- E O F --- 2009-09-09 21:10
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 00:00 - pre 177 meseci
Jos da dodam da se pojavio Win folder u TC-u i da je sadrzao fajl 1.exe . Obrisao sam ga, ali je virus i dalje aktivan u memoriji :(

Da napisem ponovo sta se desava dok je virus aktivan
- ne mogu da pokrenem AV
- ne mogu da odem na AV sajtove za online skeniranje
- ne radi regedit/task manager
- verovatno radi key log, jer sam primetio usporavanje prilikom kucanja.

uh :(

[Ovu poruku je menjao Bokacio dana 14.09.2009. u 01:14 GMT+1]
 
Odgovor na temu

Catch 22

Član broj: 148083
Poruke: 6176
93.86.85.*



+21 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 01:18 - pre 177 meseci
Jedan dobar savet, koji si dobio ovde ti je izgleda promakao?

Ili ti možda treba i link odakle to da skineš?

Avira AntiVir Rescue System

PS
Druge opcije za brisanje tog foldera C:\Win i kompletnog njegovog sadržaja je da pokreneš neki Live CD (Linux, ili Hiren's Mini XP) pa da sa njega čistiš svoj hard disk od gamadi... Poslednja verzija Hiren's 10.0 sadrži u sebi i neke programe za čišćenje gamadi:
- Kaspersky Virus Removal Tool 7.0.0.290 (2908)
- Malwarebytes' Anti-Malware 1.40 (2908)
- RootkitRevealer 1.7.1
- SmitFraudFix 2.423
- ComboFix (2908)
... i još neke...
The 11th Hour: The forces blocking change
 
Odgovor na temu

Bokacio

Član broj: 189612
Poruke: 112
*.dynamic.sbb.rs.



+27 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 01:46 - pre 177 meseci
Hvala na savetima,

Upravo skidam Avira Rescue CD pa cu pokusati nesto.

Najveci problem mi je sto virus bukvalno gasi skoro sve poznatije programe za uklanjanje virusa/trojanaca/crva. Sumnjam da mi je virus unistio i SafeMod jer vise ne mogu da udjem u njega. Jos uvek nisam uspeo da nadjem KOJI je filename za taj virus, a pogasio sam skoro sve.
 
Odgovor na temu

.LoG
Novi Sad

Član broj: 14185
Poruke: 208
*.wlan-bcl81.nsd.panline.net.



+1 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 02:21 - pre 177 meseci
c:\windows\system32\drivers\nlomog.sys

Izgleda sa imaš rootkit, pokušaj ga obrisati Gmer-om, www.gmer.net
 
Odgovor na temu

kristi1

Član broj: 151211
Poruke: 2012
*.ptt.rs.

Sajt: www.mycity.rs/Ambulanta


+88 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 06:25 - pre 177 meseci
Skini fajl uz poruku, raspakuj na desktop.
Ugasi AV.
Levim klikom misa prevuci skriptu na ikonicu Combofixa



Kad zavrsi postavi novi log

Pokreni HJT i stikliraj sledecu liniju

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Klikni Fix checked

edit. najverovatnije ti je i fleska zarazena.



[Ovu poruku je menjao kristi1 dana 14.09.2009. u 12:14 GMT+1]
Prikačeni fajlovi
CFScript.zip CFScript.zip - 0.19k
 
Odgovor na temu

andre2000
Aleš Jindra
Beograd

Član broj: 62983
Poruke: 474



+97 Profil

icon Re: Zilav virus ili trojanac14.09.2009. u 09:42 - pre 177 meseci
Za ovakve situacije, kad je komp zaražen do daske, koristim Kaspersky Rescue Disk. Radi uz pomoć BartPe-a, diže se sa live cd-a, i čisti sve, ne moram da obaram ruke sa virusima koji mi blokiraju antimalware alate.
 
Odgovor na temu

[es] :: Zaštita :: Zilav virus ili trojanac

Strane: 1 2 3

[ Pregleda: 14524 | Odgovora: 51 ] > FB > Twit

Postavi temu Odgovori

Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.