da, na mom kompu radi skype ok, komplikovano stvarno, kis 2009 i Malwarebytes' Anti-Malware ne pronalaze nista!

mozda je u pitanju neki smap boot   :S
koji mozda on ima..nemora da znaci da si bas ti u pitanju...no ako zelis mozemo da proverimo...

Skini DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds.scr

Kad zavrsi, DDS ce otvoriti dva loga:
         1. DDS.txt
         2. Attach.txt

Oba izvestaja sacuvaj na Desktop.
Kopiraj mi DDS.txt

note: u frci sam sa vremenom...pa ako ti odmah ne odgovorim..znaj da cu ti se javiti cim vidim poruku (log)

DDS (Ver_10-03-17.01) - NTFSx86 
Run by krchevinac at  1:01:15,62 on ??? 02.08.2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1252 [GMT 2:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated)   {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled*   {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe
C:\Program Files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\krchevinac\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\krchevinac\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\krchevinac\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_6_2_0.dll
BHO: {05ebed79-8cb1-486c-a334-5349049c9b38} - c:\windows\system32\jkkkkHaY.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_6_2_0.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\krchevinac\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267390265578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {A0AB868F-9998-485F-83F4-0F7EE3788CD6} = 192.168.100.1
TCP: {C49405E4-1C2C-4BEF-89EF-7346CB2D2593} = 192.168.100.1
TCP: {D9DEA323-0FC3-47FA-8C71-DD418C7FDBED} = 192.168.100.1
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkkkHaY

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\krchev~1\applic~1\mozilla\firefox\profiles\33i2iox5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\krchevinac\application data\mozilla\firefox\profiles\33i2iox5.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\krchevinac\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-11-3 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-11-3 5248]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2005-8-4 26112]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-11-4 213520]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 208616]
R2 EmmaDevMgmtSvc;Emma Device Management;c:\program files\common files\sony ericsson\emma core\services\EmmaDeviceMgmt.exe [2010-2-25 306296]
R2 EmmaUpdMgmtSvc;Emma Update Management;c:\program files\common files\sony ericsson\emma core\services\EmmaUpdateMgmt.exe [2010-2-25 162936]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-30 304464]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-3-9 90112]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-30 20952]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-3-9 27632]
S2 gupdate1c9911229aa8650;Google Update Service (gupdate1c9911229aa8650);c:\program files\google\update\GoogleUpdate.exe [2009-2-17 133104]
S3 dwVSCD;NetOp Virtual Smart Card Driver;c:\windows\system32\drivers\dwvscd.sys [2008-11-11 16696]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-3-9 13224]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-1-4 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-1-4 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-1-4 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-1-4 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-1-4 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-1-4 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-1-4 115752]

=============== Created Last 30 ================

2010-07-24 21:36:10   593920   ------w-   c:\windows\system32\ati2sgag.exe
2010-07-24 21:35:38   0   d-----w-   C:\ATI
2010-07-24 21:30:21   10   ----a-w-   c:\windows\WININIT.INI
2010-07-19 07:00:09   0   d-----w-   c:\program files\VideoLAN
2010-07-16 12:11:07   0   d-----w-   c:\program files\Pidgin

==================== Find3M  ====================

2010-08-01 20:38:49   5852   --sha-w-   c:\windows\system32\drivers\fidbox2.idx
2010-08-01 20:38:49   5436960   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2010-08-01 20:38:49   44604   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2010-08-01 20:38:49   1089568   --sha-w-   c:\windows\system32\drivers\fidbox2.dat
2010-07-31 14:30:08   138184   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2010-07-31 14:30:01   183112   ----a-w-   c:\windows\system32\PnkBstrB.exe
2010-07-30 19:58:49   97549   ----a-w-   c:\windows\system32\drivers\klick.dat
2010-07-30 19:58:49   113933   ----a-w-   c:\windows\system32\drivers\klin.dat
2010-07-26 18:10:38   156672   ----a-w-   c:\windows\system32\rmc_fixasf.exe
2010-07-26 18:10:37   237568   ----a-w-   c:\windows\system32\rmc_rtspdl.dll
2010-07-26 18:10:36   323584   ----a-w-   c:\windows\system32\AUDIOGENIE2.DLL
2009-11-07 22:41:49   32768   --sha-w-   c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110720091108\index.dat

============= FINISH:  1:02:41,56 ===============

Cao. sorry zbog nejavljanja...bio sam "away &  busy"...
ja bih ovde voleo da pustis Combofix jer se izgleda tu krije malo jaci malware ...


*  Skini ComboFix program na Desktop
Poseti ovu stranicu za download link i Uputstvo za koriscenje Combofix programa:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*  Privremeno iskljuci svoj AntiVirus program.
Poseti ovu stranicu za uputstvo:
http://www.bleepingcomputer.com/forums/topic114351.html

*  Pokreni Combofix!
Kad alat zavrsi skeniranje otvorice notepad sa izvestajem ComboFix.txt (log).
Kopiraj taj izvestaj ovde. (tipicna lokacija loga: C:\ComboFix.txt)

nece da moze instalacija ok, skeniranje nikako da zavrsi, znaci zavrsni deo je radio 3 sata i nije bilo gotovo, ja sam prekinuo!!

ps: odradjeno sve po upustvu

Obrisi ikonicu Combofix-a. Skini novi Combofix ali pre skidanja rename-uj ga u drugi naziv npr. boom.exe pa pokusaj ponovo


edit: U koliko ni tad nece da se pokrene...pokreni ga iz Safe Moda

konacno iz safe moda!


ComboFix 10-08-04.04 - krchevinac 05.08.2010   9:00.1.2 - x86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1792 [GMT 2:00]
Running from: c:\documents and settings\krchevinac\Desktop\boom.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hpe3AC.dll
c:\documents and settings\krchevinac\Application Data\facemoods.com
c:\windows\daemon.dll
c:\windows\system32\rilcruim.ini
c:\windows\wc98pp.dll
D:\resycled

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


(((((((((((((((((((((((((   Files Created from 2010-07-05 to 2010-08-05  )))))))))))))))))))))))))))))))
.

2010-08-04 21:43 . 2010-06-14 14:31   744448   ------w-   c:\windows\system32\dllcache\helpsvc.exe
2010-08-04 21:26 . 2009-10-23 15:28   3558912   ------w-   c:\windows\system32\dllcache\moviemk.exe
2010-08-04 21:08 . 2009-12-24 06:42   178176   ------w-   c:\windows\system32\dllcache\wintrust.dll
2010-08-04 21:08 . 2010-01-13 14:01   86016   ------w-   c:\windows\system32\dllcache\cabview.dll
2010-07-24 21:36 . 2008-05-12 08:49   593920   ------w-   c:\windows\system32\ati2sgag.exe
2010-07-24 21:35 . 2010-07-24 21:35   --------   d-----w-   C:\ATI
2010-07-19 07:00 . 2010-07-19 07:00   --------   d-----w-   c:\program files\VideoLAN
2010-07-16 12:11 . 2010-07-16 12:11   --------   d-----w-   c:\program files\Pidgin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 07:14 . 2008-11-04 10:37   5451296   --sha-w-   c:\windows\system32\drivers\fidbox.dat
2010-08-05 07:13 . 2008-11-04 10:37   1097760   --sha-w-   c:\windows\system32\drivers\fidbox2.dat
2010-08-05 06:54 . 2008-11-04 10:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-08-05 06:48 . 2008-11-04 10:37   5880   --sha-w-   c:\windows\system32\drivers\fidbox2.idx
2010-08-05 06:48 . 2008-11-04 10:37   44716   --sha-w-   c:\windows\system32\drivers\fidbox.idx
2010-08-05 06:48 . 2008-11-03 16:27   --------   d-----w-   c:\documents and settings\krchevinac\Application Data\Skype
2010-08-04 23:21 . 2008-11-03 19:14   --------   d-----w-   c:\documents and settings\krchevinac\Application Data\SkypePM
2010-08-04 23:03 . 2008-11-03 15:48   --------   d-----w-   c:\program files\FlashGet
2010-07-31 21:54 . 2008-11-03 20:48   --------   d-----w-   c:\documents and settings\krchevinac\Application Data\Media Player Classic
2010-07-31 14:30 . 2009-07-28 08:15   138184   ----a-w-   c:\windows\system32\drivers\PnkBstrK.sys
2010-07-31 14:30 . 2009-07-28 08:15   183112   ----a-w-   c:\windows\system32\PnkBstrB.exe
2010-07-30 19:58 . 2008-11-04 10:38   97549   ----a-w-   c:\windows\system32\drivers\klick.dat
2010-07-30 19:58 . 2008-11-04 10:38   113933   ----a-w-   c:\windows\system32\drivers\klin.dat
2010-07-26 18:23 . 2009-10-18 08:10   --------   d-----w-   c:\program files\Replay Media Catcher
2010-07-26 18:10 . 2009-10-18 08:25   156672   ----a-w-   c:\windows\system32\rmc_fixasf.exe
2010-07-26 18:10 . 2009-10-18 08:25   237568   ----a-w-   c:\windows\system32\rmc_rtspdl.dll
2010-07-26 18:10 . 2009-10-18 08:13   323584   ----a-w-   c:\windows\system32\AUDIOGENIE2.DLL
2010-07-19 10:21 . 2009-11-05 08:57   --------   d-----w-   c:\program files\CCleaner
2010-06-20 18:37 . 2008-11-03 15:56   --------   d-----w-   c:\documents and settings\krchevinac\Application Data\AccurateRip
2010-06-14 14:31 . 2008-11-03 15:06   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 20:56 . 2010-06-12 20:56   7168   ----a-w-   c:\documents and settings\krchevinac\Application Data\Thinstall\EVEREST Ultimate Edition v4.60\400000c00002i\jqsnotify.exe
2010-06-10 18:28 . 2010-06-10 18:28   --------   d-----w-   c:\program files\Common Files\Skype
2010-05-28 19:09 . 2010-05-28 19:09   17801   ----a-w-   c:\windows\system32\drivers\AegisP.sys
2010-05-25 07:37 . 2008-12-30 19:20   10   ----a-w-   c:\windows\popcinfo.dat
2010-05-24 06:06 . 2010-05-24 06:06   503808   ----a-w-   c:\documents and settings\krchevinac\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2894cb86-n\msvcp71.dll
2010-05-24 06:06 . 2010-05-24 06:06   499712   ----a-w-   c:\documents and settings\krchevinac\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2894cb86-n\jmc.dll
2010-05-24 06:06 . 2010-05-24 06:06   348160   ----a-w-   c:\documents and settings\krchevinac\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2894cb86-n\msvcr71.dll
2010-05-24 06:06 . 2010-05-24 06:06   61440   ----a-w-   c:\documents and settings\krchevinac\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7f346808-n\decora-sse.dll
2010-05-24 06:06 . 2010-05-24 06:06   12800   ----a-w-   c:\documents and settings\krchevinac\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7f346808-n\decora-d3d.dll
2010-05-19 18:50 . 2008-01-29 17:29   33808   ----a-w-   c:\windows\system32\drivers\klbg.sys
2010-05-19 18:50 . 2009-02-05 12:51   33808   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.454\klbg.sys
2010-05-19 18:50 . 2009-02-05 12:51   213520   ----a-w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.454\XP\klif.sys
.

------- Sigcheck -------

[-] 2009-01-08 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys

[-] 2009-01-08 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\krchevinac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-05-12 831488]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-23 14202368]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-24 208616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^home.url]
backup=c:\windows\pss\home.urlCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^playonline.url]
backup=c:\windows\pss\playonline.urlCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systweak Wallpaper Changer]
wallpaper.exe  -minimize [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38   34672   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-03-10 01:43   69632   ----a-r-   c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2004-08-22 16:05   81920   ----a-w-   c:\program files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-30 09:02   133104   ----atw-   c:\documents and settings\krchevinac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07   61952   ----a-w-   c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08   417792   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2009-09-24 13:41   434176   ----a-w-   c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Goiceasoft Studios\\Counter Strike 1.8 Goiceasoft\\cstrike.exe"=
"c:\\Program Files\\Sony Ericsson\\SEMC OMSI Module\\SEMC OMSI Module.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [3.11.2008 18:17 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [3.11.2008 18:17 5248]
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [4.8.2005 6:51 26112]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29.1.2008 19:29 33808]
R2 EmmaDevMgmtSvc;Emma Device Management;c:\program files\Common Files\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe [25.2.2010 10:43 306296]
R2 EmmaUpdMgmtSvc;Emma Update Management;c:\program files\Common Files\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe [25.2.2010 10:43 162936]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30.12.2009 0:01 304464]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [9.3.2010 21:08 90112]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13.3.2008 20:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [30.4.2008 18:06 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30.12.2009 0:01 20952]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [9.3.2010 21:08 27632]
S2 gupdate1c9911229aa8650;Google Update Service (gupdate1c9911229aa8650);c:\program files\Google\Update\GoogleUpdate.exe [17.2.2009 17:12 133104]
S3 dwVSCD;NetOp Virtual Smart Card Driver;c:\windows\system32\drivers\dwvscd.sys [11.11.2008 10:21 16696]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [9.3.2010 22:24 13224]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [4.1.2009 21:00 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [4.1.2009 21:00 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [4.1.2009 21:00 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [4.1.2009 21:00 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [4.1.2009 21:00 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [4.1.2009 21:00 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [4.1.2009 21:00 115752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper   REG_MULTI_SZ      getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 15:12]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 15:12]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-2025429265-839522115-1003Core.job
- c:\documents and settings\krchevinac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-30 09:02]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-2025429265-839522115-1003UA.job
- c:\documents and settings\krchevinac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-30 09:02]

2010-08-05 c:\windows\Tasks\PandaUSBVaccine.job
- c:\program files\Panda USB Vaccine\RunInteractiveWin.exe [2009-12-07 15:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {A0AB868F-9998-485F-83F4-0F7EE3788CD6} = 192.168.100.1
TCP: {C49405E4-1C2C-4BEF-89EF-7346CB2D2593} = 192.168.100.1
TCP: {D9DEA323-0FC3-47FA-8C71-DD418C7FDBED} = 192.168.100.1
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
FF - ProfilePath - c:\documents and settings\krchevinac\Application Data\Mozilla\Firefox\Profiles\33i2iox5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\krchevinac\Application Data\Mozilla\Firefox\Profiles\33i2iox5.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\krchevinac\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{05EBED79-8CB1-486C-A334-5349049C9B38} - c:\windows\system32\jkkkkHaY.dll
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-kdcyr - c:\windows\system32\kdcyr.exe
MSConfigStartUp-DudeServer - c:\program files\Dude\dude.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 09:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A9F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> 0x8a4a9f00
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b2
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e66b2
 ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Broadcom NetLink (TM) Gigabit Ethernet #2 -> SendCompleteHandler -> NDIS.sys @ 0xf796fbb0
 PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
 SendHandler -> NDIS.sys @ 0xf795a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-2025429265-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:03,4f,c1,a4,3c,57,9e,63,0f,69,2c,2a,80,c8,ef,e9,f8,59,0d,57,d2,
   b9,07,29,57,94,d9,a8,86,65,aa,66,09,ff,1e,fc,f1,e4,82,c2,3a,93,e0,b8,4a,23,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(896)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Nero\Lib\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Illustrate\dBpoweramp\dBShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-05  09:18:38 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-05 07:18

Pre-Run: 42.019.590.144 bytes free
Post-Run: 41.927.929.856 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=6 Sets=1,2,3,4,6
- - End Of File - - 5043B3C1E1E5E5ACA7E03410BA907A44

'Vako...ovo sad izgleda mnogo bolje...da polako privodimo kraju ovaj deo...

-->  Pronadji sledeci file:

C:\Qoobox\Quarantine\C\WINDOWS\daemon.dll.vir

Upload-uj ga na VirusTotal


........................


Ponovo pokreni ComboFix ali ovaj put iz normalnog moda.
Combofix ce u toku rada mozda proveriti dal ima nova verzija. Kad zavrsi...postavi mi log koji bude napravio...

i sacekaj da ti dam dalje upute ...moracemo da vracamo neki file koji je CF greskom obrisao a legitiman je

Upload-ovo sam ono sto si rekao i ako sam dobro razumeo da KIS ima definicije za to!! ali ComboFix i dalje nece u normalnom modu, cak ni sa promenjenim imenom

Hajde to sto si upload-ovao...taj file ...daj mi link od rezultata ...to sam zaboravio da ti kazem...da mi kopiras link..

ukoliko ga nemas...ponovi analizu da postavi link da vidim (URL )

.........


Hajde obrisi ikonicu od Combofix-a i skini novi sa datog linka...

Otvori Notepad i kopiraj tekst koji se nalazi ispod:




Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop

Slika



Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati  ComboFix, mozda ce doci do restarta sistema (to je normalno)
Kada zavrsi,pojavice se log (C:\ComboFix.txt) koji ces kopirati na forum