Virus blokira internet

Kada ukljucim google chrom i pokusam da otvorim neku stranicu on mi izbacuje da e moze da otvori stranicu tj. da nisam povezan sa internetom,dok sa mozilom nece da mi otvara stranice koje imaju veze saani virus malware programima i povremeno mi otvara prozora da skeniram mooj kompjuter jer je zarazen virusom,takodze nece da mi otvori malwarebytes ou task mangeru u procesima pise da je pokrenut,nece ni da mi radi update nijednog anti-malware programa,i nece da mo pokrene system restore tj. dodze do kraja i kada trebamda pritisnem next da bi zapoceo on nece,pronasao sam nekoliko virusa sa combofix-om koji su bili u system32 i ocistio ih ali je i problem i dalje ostao,ima li resenja?

http://www.elitesecurity.org/t...-Problem-sa-SATA-HDDom-virusom
Imas u drugom postu link da skines malwarebytes sa promenjenim imenom, prethodno deinstaliraj postojeci, probaj ako hoce pa javi sta si uradio.

Ako ne uspes klikni na start\ run pa prekopiraj donji tekst lupi enter i iskopiraj sadrzaj iz notepada na forum.

C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS

Probao sam i to sve sam pobrisaoi stavio 127.0.0.1 localhost ali nece
Nece ovaj,ali sam uspeo da nadzem portable verziju ali neced da mi uradi update,a tome je baza jos iz juna

Skini HijackThis odavde http://rapidshare.com/files/178810771/TG2.exe.exe.html
Stavi ga u folder na desktop i pokreni ga
* Izaberi opciju "Do a system scan and save the logfile"
* Na kraju skeniranja program ce izbaciti tekstualni log.
* taj log kopiraj ovde ( opcije copy / paste)

hijackthis vec imam promenio sam mu ime, stavio da se vide sistemski programi i sakriveni fajlovi evo loga

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:37:32, on 1.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Thoosje Vista Sidebar\Thoosje Sidebar.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergencySrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SYSTRAY.EXE
C:\Program Files\titca\titca\titca.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Thoosje Sidebar.lnk = C:\Program Files\Thoosje Vista Sidebar\Thoosje Sidebar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spy Emergency Engine Service (SpyEmrgSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergencySrv.exe

--
End of file - 6541 bytes

*mozda je bolje ovako:

127.0.0.1 localhost

Ja ne vidim znakove infekcije u logu. Uradicemo jos jednu proveru.

Preuzmi Dr Web ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Restartuj racunar u safe mode i pokreni Dr.WebCureit
Klikni na start pa ok, kad zavrsi expres skeniranje ako nadje malware klikni na Yes to All da izvrsi ciscenje.

Moze da bude i sledece, ako se malware igrao sa Winsock podesavanjima, posto kazes da si pustao ComboFix i da je obrisao neke malware
Skini Winsock Fix http://www.snapfiles.com/download/dlwinsockxpfix.html
Pokreni ga i izaberi opciju Fix
On ce resetovati winsock podesavanja I HOSTS file

Kako se pokrece ovaj Dr.WebCuriet?

a sto se drugog dela tice odradio sam ovo ali mi je sada iskljucio firewall od eseta i promenio sadrzinu C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

evo step by step uputstvo



odradi ovo sto je Kristi1 predlozio pa javi rezultate

---

mene ovo samo vrti u krug sa ove adrese ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe skinem curiet.exe kada kliknem na njega on trazi neki program preko koga treba da otvori link ja izaberem mozilu i kliknem ok i on opet skine curiet.exe i opet isto,ili mi otvori prozor na kome pise curiet.exe is not valid Win32 aplication,moze li neko na rapidshare da mi postavi ovaj program

_{[Ovu poruku je menjao rime1 dana 01.01.2009. u 22:58 GMT+1]}

a sto se tice linka...hm
evo sad sam proverio i radi...samo sto mora iz safe moda...
len sam da sad restartujem komp u safe mod...
ako neuspes onda odradi ovo:

hm...kazes da si skenirao sa ComboFix-om?
pokusaj naci log / logove od ComboFix-a
naci ces ga ovde

---

Probao sam iz safe moda otvara isto samo sto ne moze da se poveze na internet evo zadnje loga od ComboFixa iz safe moda

"J" - 2009-01-01 12:50:40 Service Pack 3 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\J\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 ))))))))))))))))))))))))))))))))))


2008-12-31 17:24 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-12-31 17:24 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-12-31 17:24 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-12-31 17:24 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-12-31 17:24 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-12-31 17:24 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\PC Tools
2008-12-31 17:08 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-31 17:08 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-12-31 17:07 <DIR> d-------- C:\New Folder
2008-12-31 16:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-12-31 12:44 208,744 --a------ C:\WINDOWS\system32\muweb.dll
2008-12-30 19:34 <DIR> d-------- C:\Program Files\ChromePortable
2008-12-30 18:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-12-29 19:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applications
2008-12-28 20:04 <DIR> d-------- C:\Program Files\Eidos Interactive
2008-12-26 20:26 <DIR> d-------- C:\Program Files\PhotoZoom Professional
2008-12-25 18:11 <DIR> d-------- C:\Documents and Settings\J\Tracing
2008-12-25 18:11 <DIR> d-------- C:\DOCUME~1\J\Tracing
2008-12-25 17:56 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-12-25 17:51 <DIR> d-------- C:\Program Files\Windows Live SkyDrive
2008-12-25 17:24 <DIR> d-------- C:\Program Files\Common Files\Windows Live
2008-12-24 19:02 <DIR> d-------- C:\Games
2008-12-18 13:13 <DIR> d-------- C:\WINDOWS\ie8updates
2008-12-16 17:37 <DIR> d-------- C:\Program Files\AV Vcs 4.0 DIAMOND
2008-12-16 17:36 <DIR> d-------- C:\Program Files\Voice Changer 4.0 Diamond
2008-12-14 14:34 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-12-11 18:16 16,252,928 --a------ C:\Documents and Settings\J\ntuser.dat
2008-12-11 18:16 16,252,928 --a------ C:\DOCUME~1\J\ntuser.dat
2008-12-08 15:41 <DIR> d-------- C:\Program Files\Microsoft Games for Windows - LIVE
2008-12-08 15:04 <DIR> d-------- C:\Program Files\Rockstar Games
2008-12-07 21:34 <DIR> d-------- C:\Program Files\RapidCheck
2008-12-04 22:55 307,560 --a------ C:\WINDOWS\WLXPGSS.SCR
2008-12-02 22:37 49,480 --a------ C:\WINDOWS\system32\sirenacm.dll
2008-12-02 20:15 <DIR> d-------- C:\Program Files\titca
2008-12-02 17:05 <DIR> d-------- C:\Program Files\Uniblue
2008-12-02 16:49 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-12-31 19:06:03 -------- d-----w C:\DOCUME~1\J\APPLIC~1\IDM
2008-12-31 19:06:03 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Hide IP NG
2008-12-31 15:33:05 -------- d-----w C:\Program Files\Skype
2008-12-31 12:00:07 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Spy Emergency
2008-12-30 17:56:12 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Google
2008-12-30 17:51:51 -------- d-----w C:\Program Files\Google
2008-12-30 16:18:27 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-12-29 18:19:33 -------- d-----w C:\Program Files\Microsoft Games
2008-12-25 16:54:34 -------- d-----w C:\Program Files\Windows Live
2008-12-24 16:42:07 -------- d-----w C:\Program Files\Illusion
2008-12-24 16:38:36 -------- d-----w C:\Program Files\DNA
2008-12-20 16:29:39 -------- d-----w C:\Program Files\PuppetMaster
2008-12-11 13:39:27 -------- d-----w C:\Program Files\Latinski Recnik 1.1
2008-12-08 14:06:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-04 13:56:11 410,984 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-12-01 14:26:37 -------- d-----w C:\Program Files\SystemRequirementsLab
2008-11-28 15:51:09 -------- d-----w C:\Program Files\Siber Systems
2008-11-24 15:22:37 10 ----a-w C:\WINDOWS\popcinfo.dat
2008-11-23 14:18:22 -------- d-----w C:\Program Files\Njegos »Gorski vijenac«
2008-11-22 20:30:24 -------- d-----w C:\Program Files\mIRC
2008-11-22 17:30:16 -------- d-----w C:\DOCUME~1\J\APPLIC~1\SystemRequirementsLab
2008-11-21 19:58:24 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Capcom
2008-11-21 19:56:01 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-11-15 18:20:52 -------- d-----w C:\DOCUME~1\J\APPLIC~1\PC Suite
2008-11-14 13:03:46 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Skype
2008-11-14 13:00:33 -------- d-----w C:\DOCUME~1\J\APPLIC~1\skypePM
2008-11-12 13:20:35 -------- d-----w C:\Program Files\Mafia-WinterEdition
2008-11-12 12:44:54 -------- d-----w C:\Program Files\MSXML 4.0
2008-11-08 14:11:21 -------- d-----w C:\Program Files\Common Files\Skype
2008-11-06 15:57:20 -------- d-----w C:\DOCUME~1\J\APPLIC~1\EyeSpyFX
2008-10-27 09:04:18 514,384 ----a-w C:\WINDOWS\system32\XAudio2_3.dll
2008-10-27 09:04:16 23,376 ----a-w C:\WINDOWS\system32\X3DAudio1_5.dll
2008-10-23 12:36:14 286,720 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:29:02 14,303,392 ----a-w C:\WINDOWS\system32\xlive.dll
2008-10-22 04:29:02 13,643,936 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2008-10-16 13:13:40 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-10-16 13:13:40 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-10-16 13:12:22 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-10-16 13:12:20 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-10-16 13:09:44 92,696 ----a-w C:\WINDOWS\system32\cdm.dll
2008-10-16 13:09:44 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-10-16 13:09:44 43,544 ----a-w C:\WINDOWS\system32\wups2.dll
2008-10-16 13:08:58 34,328 ----a-w C:\WINDOWS\system32\wups.dll
2008-10-16 13:06:48 268,648 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-10-13 18:05:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-10-10 03:52:38 452,440 ----a-w C:\WINDOWS\system32\d3dx10_40.dll
2008-10-10 03:52:38 4,379,984 ----a-w C:\WINDOWS\system32\D3DX9_40.dll
2008-10-10 03:52:38 2,036,576 ----a-w C:\WINDOWS\system32\D3DCompiler_40.dll
2008-10-03 10:02:42 247,326 ----a-w C:\WINDOWS\system32\strmdll.dll
2008-08-02 23:14:27 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3049C3E9-B461-4BC5-8870-4C09146192CA}=C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-18 13:30]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 07:01]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-04 14:56]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-11-18 13:47]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-12-30 18:42]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}=C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2008-12-30 18:42]
{DBC80044-A445-435b-BC74-9C25C1C588A9}=C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-04 14:56]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}=C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-04 14:56]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}=C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-25 21:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 07:21]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-08-25 12:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-12-02 22:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 07:01]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 21:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\mlJDtrPg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Key.lnk]
backup=C:\WINDOWS\pss\Media Key.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^.rnd]
path=\.rnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^default.pls]
path=\default.pls

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat]
path=\ntuser.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c147f9a]
rundll32.exe "C:\WINDOWS\system32\rdftlkap.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntamediaBandwidth]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323Domino]
C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323VMSnap]
C:\WINDOWS\VMSnap23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
C:\Program Files\RamBooster 2.0\Rambooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEmergency]
"C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergency.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMUAgent.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059d64d4-d379-11dd-803b-0018f3ea3f39}]
AutoRun\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe
open\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08a941f0-6634-11dd-bf14-0018f3ea3f39}]
Auto\command- H:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
explore\Command- H:\gg.exe 0e
open\Command- H:\gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220dba5a-71ea-11dd-bf54-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a9a04b8-4bea-11dc-9917-0018f3ea3f39}]
Auto\command- G:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3ecb5c-6857-11dc-9995-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e86b5a62-4be3-11dc-9914-0018f3ea3f39}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

*Newly Created Service* - MDMXSDK

Contents of the 'Scheduled Tasks' folder
2009-01-01 11:45:20 C:\WINDOWS\tasks\User_Feed_Synchronization-{132907F2-D634-4C67-9942-44DF435096B5}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 12:59:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\JavaQuickStarterService]
"ImagePath"="\"C:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys"

Completion time: 2009-01-01 13:01:20
C:\ComboFix-quarantined-files.txt ... 2009-01-01 13:00
C:\ComboFix2.txt ... 2009-01-01 12:39
C:\ComboFix3.txt ... 2008-12-31 19:55

--- E O F ---

restartuj kompjuter..pritiskaj F8 i u boot meniju izaberi safe mode

pritisni:
Alt +Ctrl + Delete istovremeno
klikni na tab process
proveri nalazi li se ovaj process
WLXPGSS.SCR

ako ga nadjes selektuj ga i idi na end process

zatvori task manager

moraces da pokazes skrivene fajlove
ako neznas...evo ga tuto
http://www.bleepingcomputer.com/tutorials/tutorial62.html

nadji sledeci File


kad ga nadjes brisi ga Shift + Delete pa Enter

************
onda skini ovo
http://www.atribune.org/ccount/click.php?id=1

pokreni ga

*************

i dalje si u safe modu...

onda odradi sledece:
Start / Run kucaj

regedit

pa OK

nadji sledeci kljuc (prati levu stranu)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

znaci kad kliknes/otvoris Browser Helper Objects
ispod ce ti se pokazati neki brojevi.to su reg. kljucevi

obrisi ovaj kljuc

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}

zatvori regedit

nadji sledeci File i obrisi ga
C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

ili ceo folder
C:\Program Files\ZoneAlarmSB

brises ovim komandama
Shift+Delete pa Enter

sad tek restartujes komp i dizes ga u normalni mod
***************

sigurno si imao zone alarm pa si ga obrisao
ovo su repovi od njega koji se pokrecu sa sistemom

javi rezultate



_{[Ovu poruku je menjao magna86 dana 02.01.2009. u 00:34 GMT+1]}

---

Nešto drugačije da proverimo, od kada imaš taj ESET SS? Ako si ga skoro instalirao, možda si sa crackom uneo neki virus. I odakle učitavaš definicije sa njim?

@magna86
nasao sam ovaj fajl WLXPGSS.SCR i izbrisao sam ga ali nije bio medzu procesima,znam kako se otkrivaju skriveni folderi ali nece dam i otvori ovu http://www.atribune.org/ccount/click.php?id=1 stranicu jer je virus blokira, blokira svake koje imaju veze sa anti-virus malware programima.Imao sam zone alarma instaliran ali on nije mogao da radi zajedno sa esetom pa sam ga izbrisao,i koristio sam crack za Eset

Ajde da probamo nesto.
Klikni desni klik na ikonicu noda pored sata
izaberi AMON iz Threat Protection opcije
destikliraj File system monitor (AMON) enabled.
Probaj sada da skines neki od gore pomenutih alata cisto provere radi.

Potpuno sam unistio nod sa Revo Uninstaller ali i dallje nece

Ajde pokreni Combofix ali iz normal moda i postavi log da pogledam, znaci iz Normal moda.
Najbolje bi bilo da skines novu verziju ako mozes.

evo

"J" - 2009-01-02 13:53:27 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\J\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 ))))))))))))))))))))))))))))))))))


2009-01-02 12:34 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2009-01-02 12:34 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2009-01-02 12:34 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2009-01-02 12:34 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2009-01-02 12:34 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2009-01-02 12:33 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2009-01-02 12:33 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2009-01-02 12:33 <DIR> d-------- C:\WINDOWS\LastGood
2009-01-02 12:33 <DIR> d-------- C:\Program Files\AVG
2009-01-02 12:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2009-01-02 11:32 268,648 --a------ C:\WINDOWS\system32\mucltui.dll
2009-01-01 21:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-01 13:57 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\Thinstall
2008-12-31 17:08 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-31 17:08 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-12-31 16:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-12-31 12:44 208,744 --a------ C:\WINDOWS\system32\muweb.dll
2008-12-30 19:34 <DIR> d-------- C:\Program Files\ChromePortable
2008-12-30 18:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-12-29 19:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applications
2008-12-28 20:04 <DIR> d-------- C:\Program Files\Eidos Interactive
2008-12-25 18:11 <DIR> d-------- C:\Documents and Settings\J\Tracing
2008-12-25 18:11 <DIR> d-------- C:\DOCUME~1\J\Tracing
2008-12-25 17:56 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-12-25 17:51 <DIR> d-------- C:\Program Files\Windows Live SkyDrive
2008-12-25 17:24 <DIR> d-------- C:\Program Files\Common Files\Windows Live
2008-12-24 19:02 <DIR> d-------- C:\Games
2008-12-18 13:13 <DIR> d-------- C:\WINDOWS\ie8updates
2008-12-16 17:36 <DIR> d-------- C:\Program Files\Voice Changer 4.0 Diamond
2008-12-14 14:34 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-12-11 18:16 16,252,928 --a------ C:\Documents and Settings\J\ntuser.dat
2008-12-11 18:16 16,252,928 --a------ C:\DOCUME~1\J\ntuser.dat
2008-12-08 15:41 <DIR> d-------- C:\Program Files\Microsoft Games for Windows - LIVE
2008-12-08 15:04 <DIR> d-------- C:\Program Files\Rockstar Games
2008-12-07 21:34 <DIR> d-------- C:\Program Files\RapidCheck
2008-12-02 22:37 49,480 --a------ C:\WINDOWS\system32\sirenacm.dll
2008-12-02 20:15 <DIR> d-------- C:\Program Files\titca
2008-12-02 17:05 <DIR> d-------- C:\Program Files\Uniblue
2008-12-02 16:49 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-01-01 19:09:04 -------- d-----w C:\Program Files\wLite
2009-01-01 19:05:31 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Google
2009-01-01 19:01:26 -------- d-----w C:\DOCUME~1\J\APPLIC~1\BitTorrent
2009-01-01 12:55:27 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Spy Emergency
2008-12-31 15:33:05 -------- d-----w C:\Program Files\Skype
2008-12-30 17:51:51 -------- d-----w C:\Program Files\Google
2008-12-30 16:18:27 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-12-29 18:19:33 -------- d-----w C:\Program Files\Microsoft Games
2008-12-25 16:54:34 -------- d-----w C:\Program Files\Windows Live
2008-12-24 16:42:07 -------- d-----w C:\Program Files\Illusion
2008-12-24 16:38:36 -------- d-----w C:\Program Files\DNA
2008-12-20 16:29:39 -------- d-----w C:\Program Files\PuppetMaster
2008-12-11 13:39:27 -------- d-----w C:\Program Files\Latinski Recnik 1.1
2008-12-08 14:06:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-04 13:56:11 410,984 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-12-01 14:26:37 -------- d-----w C:\Program Files\SystemRequirementsLab
2008-11-28 15:51:09 -------- d-----w C:\Program Files\Siber Systems
2008-11-24 15:22:37 10 ----a-w C:\WINDOWS\popcinfo.dat
2008-11-23 14:18:22 -------- d-----w C:\Program Files\Njegos »Gorski vijenac«
2008-11-22 20:30:24 -------- d-----w C:\Program Files\mIRC
2008-11-22 17:30:16 -------- d-----w C:\DOCUME~1\J\APPLIC~1\SystemRequirementsLab
2008-11-21 19:58:24 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Capcom
2008-11-21 19:56:01 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-11-15 18:20:52 -------- d-----w C:\DOCUME~1\J\APPLIC~1\PC Suite
2008-11-14 13:03:46 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Skype
2008-11-14 13:00:33 -------- d-----w C:\DOCUME~1\J\APPLIC~1\skypePM
2008-11-12 13:20:35 -------- d-----w C:\Program Files\Mafia-WinterEdition
2008-11-12 12:44:54 -------- d-----w C:\Program Files\MSXML 4.0
2008-11-08 14:11:21 -------- d-----w C:\Program Files\Common Files\Skype
2008-11-06 15:57:20 -------- d-----w C:\DOCUME~1\J\APPLIC~1\EyeSpyFX
2008-10-23 12:36:14 286,720 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:29:02 14,303,392 ----a-w C:\WINDOWS\system32\xlive.dll
2008-10-22 04:29:02 13,643,936 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2008-10-16 13:13:40 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-10-16 13:13:40 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-10-16 13:12:22 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-10-16 13:12:20 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-10-16 13:09:44 92,696 ----a-w C:\WINDOWS\system32\cdm.dll
2008-10-16 13:09:44 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-10-16 13:09:44 43,544 ----a-w C:\WINDOWS\system32\wups2.dll
2008-10-16 13:08:58 34,328 ----a-w C:\WINDOWS\system32\wups.dll
2008-10-13 18:05:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-10-10 03:52:38 452,440 ----a-w C:\WINDOWS\system32\d3dx10_40.dll
2008-10-10 03:52:38 4,379,984 ----a-w C:\WINDOWS\system32\D3DX9_40.dll
2008-10-10 03:52:38 2,036,576 ----a-w C:\WINDOWS\system32\D3DCompiler_40.dll
2008-10-03 10:02:42 247,326 ----a-w C:\WINDOWS\system32\strmdll.dll
2008-08-02 23:14:27 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3049C3E9-B461-4BC5-8870-4C09146192CA}=C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-18 13:30]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2009-01-02 12:34]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 07:01]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-04 14:56]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-11-18 13:47]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-12-30 18:42]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}=C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2008-12-30 18:42]
{DBC80044-A445-435b-BC74-9C25C1C588A9}=C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-04 14:56]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}=C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-04 14:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-01-02 12:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-12-02 22:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 07:01]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 21:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\mlJDtrPg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Key.lnk]
backup=C:\WINDOWS\pss\Media Key.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^.rnd]
path=\.rnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^default.pls]
path=\default.pls

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat]
path=\ntuser.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c147f9a]
rundll32.exe "C:\WINDOWS\system32\rdftlkap.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntamediaBandwidth]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323Domino]
C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323VMSnap]
C:\WINDOWS\VMSnap23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
C:\Program Files\RamBooster 2.0\Rambooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEmergency]
"C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergency.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMUAgent.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059d64d4-d379-11dd-803b-0018f3ea3f39}]
AutoRun\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe
open\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08a941f0-6634-11dd-bf14-0018f3ea3f39}]
Auto\command- H:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
explore\Command- H:\gg.exe 0e
open\Command- H:\gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220dba5a-71ea-11dd-bf54-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a9a04b8-4bea-11dc-9917-0018f3ea3f39}]
Auto\command- G:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3ecb5c-6857-11dc-9995-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e86b5a62-4be3-11dc-9914-0018f3ea3f39}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

*Newly Created Service* - AVG8WD
*Newly Created Service* - AVGFWS8
*Newly Created Service* - AVGLDX86
*Newly Created Service* - AVGMFX86
*Newly Created Service* - AVGRKX86
*Newly Created Service* - AVGTDIX

Contents of the 'Scheduled Tasks' folder
2009-01-02 11:56:10 C:\WINDOWS\tasks\User_Feed_Synchronization-{132907F2-D634-4C67-9942-44DF435096B5}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 13:55:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\JavaQuickStarterService]
"ImagePath"="\"C:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys"

Completion time: 2009-01-02 13:57:04
C:\ComboFix-quarantined-files.txt ... 2009-01-02 13:56
C:\ComboFix2.txt ... 2009-01-02 13:48
C:\ComboFix3.txt ... 2009-01-01 13:01

--- E O F ---

Imao sam zone alarma ali sam ga izbrisao jer nije mogao zajedno da radi sa nodom i imao sam crack za nod
Nema ovaj kljuc {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} samo ovi
{3049C3E9-B461-4BC5-8870-4C09146192CA}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{AA58ED58-01DD-4d91-8333-CF10577473F7}
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}