|
Poslao: 21 Jul 2008 18:23
|
offline
- Silija
- Prijatelj foruma
- Pridružio: 18 Feb 2008
- Poruke: 987
- Gde živiš: na putu za jedno ostrvo
|
Danas mi je utrcao AntiVirusXP2008 i blokira sve zivo. Avast ne moze da ga skloni (i njega je zaustavio), SpyBot ga ne registruje kao pretnju. Prakticno je nemoguce zatvoriti ga osim izlaska na net pa onda zatvaranje tog prozora preko close jer ukida x u desnom gornjem uglu. Nece da se skloni iz add/remove programs. Promenio je desktop i preko sredine stoji upozorenje da imam viruse. Koje ne moze da se skloni. Posle restarta internet je proradio. Sta predlazete? Da radim scan koji se ovde uobicajeno predlaze ili nesto drugo? Imam i AVG varijantu, razmisljam da skinem avast i instaliram njega i probam da ga sklonim , ali mi se cini da od toga nema vajde. Hvala.
|
|
|
|
|
|
|
|
|
Poslao: 21 Jul 2008 18:42
|
offline
- Silija
- Prijatelj foruma
- Pridružio: 18 Feb 2008
- Poruke: 987
- Gde živiš: na putu za jedno ostrvo
|
Logfile of HijackThis v1.99.1
Scan saved at 18:40:29, on 21.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ZA CUVANJE\NetLimiter 2 Monitor\nlsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
D:\ZA CUVANJE\NetLimiter 2 Monitor\NLClient.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\MC\TR3.exe.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - D:\ZA CUVANJE\NetLimiter 2 Monitor\nlsvc.exe
|
|
|
|
|
|
|
|
|
Poslao: 21 Jul 2008 21:46
|
offline
- Silija
- Prijatelj foruma
- Pridružio: 18 Feb 2008
- Poruke: 987
- Gde živiš: na putu za jedno ostrvo
|
ComboFix 08-07-20.A0 - Administrator 2008-07-21 21:40:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\rhcc7jj0eccn
C:\Program Files\rhcc7jj0eccn
C:\WINDOWS\system32\blphc97jj0eccn.scr
C:\WINDOWS\system32\lphc97jj0eccn.exe
C:\WINDOWS\system32\phc97jj0eccn.bmp
C:\WINDOWS\system32\pphc97jj0eccn.exe
C:\WINDOWS\system32\WinCtrl32.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.
2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.
------- Sigcheck -------
2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Device Detector - DevDetect.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 21:42:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-21 21:44:22
ComboFix-quarantined-files.txt 2008-07-21 19:43:55
Pre-Run: 15,412,994,048 bytes free
Post-Run: 15,604,768,768 bytes free
138
|
|
|
|
|
|
|
|
|
Poslao: 22 Jul 2008 11:58
|
offline
- Silija
- Prijatelj foruma
- Pridružio: 18 Feb 2008
- Poruke: 987
- Gde živiš: na putu za jedno ostrvo
|
Prilikom ponovnog aktiviranja SpyBota pitao me je da li dozvoljavam neku promenu. Prst je bio bio brzi od mozga, ne znam sta sam kliknula. Usledilo je drugo pitanje koje sam shvatila kao da li dozvoljavam promenu preko desktopa i skrinsejvera (sve se desavalo preko desktopa - promena boje, sklanjanje moje slike...), pa sam rekla NE. Kad sam uradila novi scan combom, pitao je da li dozvoljavam sklanjanje promene sa desktopa - rekla sam da. Ako sam ovde bilo sta pogresila....
Kod aktiviranja avasta, kad mu opet dozvolim da bude able, treba li da kliknem i ikonicu i ponovo kliknem na stop on-acess...?
Skeniranja koja sam radila u prethodna 2 posta odnela su mi 70 mb. Da li je to normalno?
Najzad, evo novog skena.
ComboFix 08-07-20.A0 - Administrator 2008-07-22 11:47:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.
2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.
------- Sigcheck -------
2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-21_21.43.45.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 09:35:44 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\MSHist012008072220080723\index.dat
+ 2008-07-22 09:35:54 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_688.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 09:36:04 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 11:48:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-22 11:50:55
ComboFix-quarantined-files.txt 2008-07-22 09:50:19
ComboFix2.txt 2008-07-21 19:44:23
Pre-Run: 15,588,962,304 bytes free
Post-Run: 15,581,757,440 bytes free
134
|
|
|
|
|
|
|
|
|
Poslao: 22 Jul 2008 19:02
|
offline
- Silija
- Prijatelj foruma
- Pridružio: 18 Feb 2008
- Poruke: 987
- Gde živiš: na putu za jedno ostrvo
|
Negde usput sam shvatila da je trebalo da ponovo ukljucim zastitu. Dakle, evo novog skena bez zastite.
MB su megabajti interneta, 70 mb za kratko vreme sto sam citala sta da uradim i to uradila, sto nije ni pola sata.
U add/remove programs kaze da ga nema vise. Pre ovog skena koji sad saljem. Ikonice su ostale i promene na desktopu, ali mi je dozvoljeno da sve to posklanjam i vratim desktop na staro.
ComboFix 08-07-20.A0 - Administrator 2008-07-22 18:46:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.244 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\MC\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.
2008-07-21 15:59 . 2008-07-21 15:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-21 15:59 . 2008-07-21 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-09 13:56 . 2008-07-09 13:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-08 21:17 . 2008-07-08 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Program Files\ACD Systems
2008-07-08 21:05 . 2008-07-08 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-07-08 21:04 . 2008-07-08 21:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-08 18:42 . 2008-07-08 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-08 18:42 . 2008-07-08 19:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 18:35 . 2008-07-08 20:12 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 15:09 . 2003-08-19 13:36 65,536 --a------ C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\Audio3D.dll
2008-07-08 15:09 . 2003-08-19 13:36 65,536 -ra------ C:\WINDOWS\system32\a3d.dll
2008-07-05 14:25 . 2008-07-13 18:20 32 --a------ C:\WINDOWS\hip
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-07-05 09:46 . 2008-07-05 09:46 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-07-04 12:54 . 2008-07-04 12:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Locktime
2008-07-04 12:52 . 2008-07-04 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-06-30 17:28 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 17:27 . 2008-06-30 17:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:04 . 2008-06-26 10:04 268 --ah----- C:\sqmdata00.sqm
2008-06-26 10:04 . 2008-06-26 10:04 244 --ah----- C:\sqmnoopt00.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 09:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2008-07-19 09:13 --------- d-----w C:\Program Files\mIRC
2008-07-16 21:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-07-16 14:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-15 10:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ahead
2008-07-08 19:05 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-08 18:50 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:29 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 15:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-18 16:21 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-16 19:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-14 18:51 0 ----a-w C:\Program Files\temp01
.
------- Sigcheck -------
2007-10-30 19:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-06-17 11:00 360448 65c34c093e839505636954ead50fa315 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-21_21.43.45.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\Cookies\index.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-07-22 16:30:47 32,768 ----a-w C:\WINDOWS\TEMP\History\History.IE5\MSHist012008072220080723\index.dat
+ 2008-07-22 16:30:56 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6a0.dat
- 2008-07-21 19:30:57 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 16:31:12 32,768 ----a-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-06-17 11:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 22:10 344064]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winek06.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-12-18 18:32 25365032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 nltdi;nltdi;C:\WINDOWS\system32\drivers\nltdi.sys [2007-04-23 18:08]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S0 Winek06;Winek06;C:\WINDOWS\system32\Drivers\Winek06.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2f95a11-c830-11dc-9a01-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 18:47:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-22 18:49:43
ComboFix-quarantined-files.txt 2008-07-22 16:49:37
ComboFix2.txt 2008-07-22 09:50:56
ComboFix3.txt 2008-07-21 19:44:23
Pre-Run: 15,577,796,608 bytes free
Post-Run: 15,570,194,432 bytes free
134
|
|
|
|
|
|
|
Poslao: 22 Jul 2008 20:43
|
offline
- dr_Bora
- Anti Malware Fighter
Rank 2
- Pridružio: 24 Jul 2007
- Poruke: 12280
- Gde živiš: Höganäs, SE
|
Skeniranja nemaju bilo kakve veze sa internet protokom (korišćeni programi ne pristupaju netu a ComboFix čak i prekida internet konekciju u toku rada - znači, jedini utrošak oko ovoga je bio download programa a to je manje od 3 MB).
Verovatno je neki program ili Windows vršio update.
No... Ni prethodni postupak nije odradio šta je trebalo.
Probaćemo na drugi način.
Skini file sa [url=https://www.mycity.rs/must-login.png linka[/url] na Desktop.
Dvoklikni na njega - kada se pojavi upit, klikni Yes.
Restartuj kompjuter a zatim dvoklikom pokreni ComboFix i postavi ovde logfile koji on napravi.
|
|
|
|
|
|
Potrebno je privremeno isključiti 
) u donjem, desnom uglu ekrana i izaberi 
