Poslao: 19 Jan 2009 13:09
|
offline
- TeoDos
- Građanin
- Pridružio: 23 Jan 2008
- Poruke: 65
- Gde živiš: Beograd
|
Molim za proveru.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:36, on 19/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\drivers\SbiCtr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\Program Files\Fujitsu Siemens\Hard Disk Noise Control\HDDFC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\New Folder\Azra.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SbiCtr.exe
O1 - Hosts: 72.14.207.99 facebook.com
O1 - Hosts: 72.14.207.99 myspace.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SbiCtr.exe] C:\WINDOWS\system32\drivers\SbiCtr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: KTITOR_2009.lnk = C:\Program Files\2009\2009.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{11E41D21-F58E-4956-938C-41741B79A8A7}: NameServer = 192.168.0.11,91.150.90.2,91.150.90.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{11E41D21-F58E-4956-938C-41741B79A8A7}: NameServer = 192.168.0.11,91.150.90.2,91.150.90.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Hard Disk Noise Control (HDDFC) - Fujitsu Siemens Computers - c:\Program Files\Fujitsu Siemens\Hard Disk Noise Control\HDDFC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
--
End of file - 8323 bytes
|
|
|
|
|
Poslao: 19 Jan 2009 13:49
|
offline
- TeoDos
- Građanin
- Pridružio: 23 Jan 2008
- Poruke: 65
- Gde živiš: Beograd
|
Evo i log ComboFix-a
Problem je bio u tome da je Task Manager bio do skeniranja sa ComboFix-om bio desable i nisam mogao da mu pridjem. Jutros kad sam upalio komp avast je prijavio dva zarazena fajla koja je prilikom svakog restarta racunara ponavljao. Pokusavao sam i sa Malwarebytes' Anti-Malware-om da ih uklonim ali su se svaki put ''vracali''.
ComboFix 09-01-18.03 - user 2009-01-19 13:26:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1002 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\New Folder\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090118-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.
2009-01-19 11:58 . 2009-01-19 11:58 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-19 11:57 . 2009-01-19 11:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 11:57 . 2009-01-19 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 11:57 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 11:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 11:27 . 2009-01-19 11:27 1,409 --a------ c:\windows\system32\tmpE1028.FOT
2009-01-19 11:27 . 2009-01-19 11:27 1,409 --a------ c:\windows\system32\tmp54428.FOT
2009-01-19 09:48 . 2009-01-19 09:48 1,409 --a------ c:\windows\system32\tmpCD9A0.FOT
2009-01-19 09:48 . 2009-01-19 09:48 1,409 --a------ c:\windows\system32\tmp039A0.FOT
2009-01-19 09:22 . 2009-01-19 09:22 1,409 --a------ c:\windows\system32\tmpE41B0.FOT
2009-01-19 09:22 . 2009-01-19 09:22 1,409 --a------ c:\windows\system32\tmp333B0.FOT
2009-01-19 08:44 . 2009-01-19 08:44 715,776 -r-hs---- c:\windows\system32\drivers\SbiCtr.exe
2009-01-19 08:43 . 2009-01-19 08:43 1,409 --a------ c:\windows\system32\tmpA66D0.FOT
2009-01-19 08:43 . 2009-01-19 08:43 1,409 --a------ c:\windows\system32\tmp7E6D0.FOT
2008-12-31 10:32 . 2008-12-31 10:32 1,409 --a------ c:\windows\system32\tmpFC3D5.FOT
2008-12-31 10:32 . 2008-12-31 10:32 1,409 --a------ c:\windows\system32\tmpD14D5.FOT
2008-12-27 08:38 . 2008-12-27 08:38 1,409 --a------ c:\windows\system32\tmp6A801.FOT
2008-12-27 08:38 . 2008-12-27 08:38 1,409 --a------ c:\windows\system32\tmp2A601.FOT
2008-12-26 13:22 . 2009-01-19 12:49 <DIR> d-------- c:\program files\2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 12:25 --------- d-----w c:\documents and settings\user\Application Data\Skype
2009-01-19 11:49 --------- d-----w c:\documents and settings\user\Application Data\OpenOffice.org2
2009-01-19 11:41 --------- d-----w c:\program files\CCLEANER
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-11-21 13:52 --------- d-----w c:\program files\TeamViewer3
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-04-03 08:04 14,290 ----a-w c:\program files\settings.dat
2007-07-10 08:40 114 -c--a-w c:\program files\plugin.ini
2004-10-05 15:12 138,430 -c--a-w c:\program files\Readme.rtf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-09-13 22880040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"RestoreIT!"="c:\program files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" [2004-05-27 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-09-14 249927]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SbiCtr.exe"="c:\windows\system32\drivers\SbiCtr.exe" [2009-01-19 715776]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-23 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2005-08-02 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-03 113664]
KTITOR_2009.lnk - c:\program files\2009\2009.exe [2008-12-26 2249384]
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-03 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0oodbs
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\3d max\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\drivers\\SbiCtr.exe"=
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-04-14 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2006-04-14 179482]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R3 SMBus_2k;SMBus_2k;c:\windows\system32\drivers\SMBus_2k.sys [2006-04-04 14208]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-02 20560]
R4 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-04-14 5088]
R4 HDDFC;Hard Disk Noise Control;c:\program files\Fujitsu Siemens\Hard Disk Noise Control\HDDFC.exe [2005-03-22 155745]
R4 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Host.exe [2008-03-12 181544]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6056a756-35f6-11dd-8847-003005ace4d4}]
\Shell\Auto\command - Autorun.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad545a9c-808f-11dc-bed3-003005ace4d4}]
\Shell\AutoRun\command - F:\gmbcjmly.exezjpjkbuy.exe
\Shell\explore\Command - F:\gmbcjmly.exezjpjkbuy.exe
\Shell\open\Command - F:\gmbcjmly.exezjpjkbuy.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e788fd06-bf94-11dd-88d9-003005ace4d4}]
\Shell\AutoRun\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\Shell\open\command - f:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fadfa616-2bc2-11dd-883a-003005ace4d4}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {11E41D21-F58E-4956-938C-41741B79A8A7} = 192.168.0.11,91.150.90.2,91.150.90.3
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ltag9nch.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-19 13:27:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-19 13:29:33
ComboFix-quarantined-files.txt 2009-01-19 12:29:22
Pre-Run: 10,699,431,936 bytes free
Post-Run: 10,889,236,480 bytes free
149 --- E O F --- 2009-01-14 15:04:03
|
|
|
|
Poslao: 19 Jan 2009 15:04
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Preuzmi program RootRepeal na Desktop.
Raspakuj RootRepeal.zip u neki folder.
Dvoklikom pokreni RootRepeal.exe.
Pređi na Report karticu (klikom na Report taster, dole, desno).
Klikni Scan taster.
U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK.
U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK.
Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju.
Priloži dobijeni izveštaj uz poruku korišćenjem opcije Prikači fajl.
|
|
|
|
Poslao: 19 Jan 2009 15:18
|
offline
- TeoDos
- Građanin
- Pridružio: 23 Jan 2008
- Poruke: 65
- Gde živiš: Beograd
|
Evo izvestaja.
Nisam najbolje razumeo poslednju recenicu uputstva?
mycity.rs/must-login.png
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/19 15:04
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xBAC58000 Size: 30592 File Visible: No
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6817000 Size: 98304 File Visible: No
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE4000 Size: 8192 File Visible: No
Status: -
Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBAE56000 Size: 6464 File Visible: No
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5540000 Size: 45056 File Visible: No
Status: -
SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a576
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a432
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a910
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a00a
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a50c
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6859f4a
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6859fae
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a62c
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a5ec
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb685a76c
|
|
|
|
|
|
Poslao: 20 Jan 2009 21:06
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Ponovo iskljuci Antivirus:
Otvoriti Notepad i iskopirati sledeci tekst:
File::
c:\windows\system32\drivers\SbiCtr.exe
Folder::
c:\program files\2009
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6056a756-35f6-11dd-8847-003005ace4d4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad545a9c-808f-11dc-bed3-003005ace4d4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e788fd06-bf94-11dd-88d9-003005ace4d4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fadfa616-2bc2-11dd-883a-003005ace4d4}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\drivers\\SbiCtr.exe"=-
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
|
|
|
|
Poslao: 21 Jan 2009 09:19
|
offline
- TeoDos
- Građanin
- Pridružio: 23 Jan 2008
- Poruke: 65
- Gde živiš: Beograd
|
Prilikom podizanja sistema, avast mi je signalizirao da je pronadjen virus i naravno pitao je za akciju. Ja sam pomenuti fajl premestio u kovceg.
Ovo je iz avastovog dnevnika:
21/01/2009 08:41:09 SYSTEM 1376 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\drivers\SbiCtr.exe" file.
Kasnije sam video u tvom log-u da si taj fajl ubacio u skriptu pa sad ne znam da li sam uradio sve kako bi trebalo.
Evo i ComboFix log/a:
ComboFix 09-01-20.05 - user 2009-01-21 8:48:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.943 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\New Folder\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090120-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\drivers\SbiCtr.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\2009
c:\program files\2009\2009.exe
c:\program files\2009\agenda.dxr
c:\program files\2009\editor\calc.exe
c:\program files\2009\editor\Notepad2.exe
c:\program files\2009\editor\Notepad2.reg
c:\program files\2009\files\licencesr.txt
c:\program files\2009\files\meseci\april.txt
c:\program files\2009\files\meseci\august.txt
c:\program files\2009\files\meseci\december.txt
c:\program files\2009\files\meseci\february.txt
c:\program files\2009\files\meseci\january.txt
c:\program files\2009\files\meseci\july.txt
c:\program files\2009\files\meseci\june.txt
c:\program files\2009\files\meseci\march.txt
c:\program files\2009\files\meseci\may.txt
c:\program files\2009\files\meseci\november.txt
c:\program files\2009\files\meseci\october.txt
c:\program files\2009\files\meseci\september.txt
c:\program files\2009\files\mjeseci\APRIL.txt
c:\program files\2009\files\mjeseci\AVGUST.txt
c:\program files\2009\files\mjeseci\CONTACTS.txt
c:\program files\2009\files\mjeseci\DECEMBAR.txt
c:\program files\2009\files\mjeseci\FEBRUAR.txt
c:\program files\2009\files\mjeseci\JANUAR.txt
c:\program files\2009\files\mjeseci\JULI.txt
c:\program files\2009\files\mjeseci\JUNI.txt
c:\program files\2009\files\mjeseci\MAJ.txt
c:\program files\2009\files\mjeseci\MART.txt
c:\program files\2009\files\mjeseci\NOTES.txt
c:\program files\2009\files\mjeseci\NOVEMBAR.txt
c:\program files\2009\files\mjeseci\OKTOBAR.txt
c:\program files\2009\files\mjeseci\SEPTEMBAR.txt
c:\program files\2009\files\prezentacija\1.txt
c:\program files\2009\files\prezentacija\3.txt
c:\program files\2009\img.cxt
c:\program files\2009\kLODOVIK.url
c:\program files\2009\Notes.txt
c:\program files\2009\PF2009.ico
c:\program files\2009\start.dxr
c:\program files\2009\unins000.dat
c:\program files\2009\unins000.exe
c:\program files\2009\Xtras\budapi.x32
c:\program files\2009\Xtras\Flash Asset\Flash Asset.x32
c:\program files\2009\Xtras\Media Support\Actor Control.x32
c:\program files\2009\Xtras\Media Support\Cursor Asset.x32
c:\program files\2009\Xtras\Media Support\Cursor Options.x32
c:\program files\2009\Xtras\Media Support\FileIo.x32
c:\program files\2009\Xtras\Media Support\Font Asset Dialog.x32
c:\program files\2009\Xtras\Media Support\Font Asset.x32
c:\program files\2009\Xtras\Media Support\Font Xtra.x32
c:\program files\2009\Xtras\Media Support\LZComprs.x32
c:\program files\2009\Xtras\Media Support\Squish.x32
c:\program files\2009\Xtras\Media Support\SWADCmpr.x32
c:\program files\2009\Xtras\Media Support\Text Asset.x32
c:\program files\2009\Xtras\Media Support\TextAuth.x32
c:\program files\2009\Xtras\Media Support\TextXtra.x32
c:\program files\2009\Xtras\Media Support\ZipXtra.x32
c:\program files\2009\Xtras\PMATIC.reg
c:\program files\2009\Xtras\PMATIC.X32
.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.
2009-01-21 08:42 . 2009-01-21 08:42 720,896 -r-hs---- c:\windows\system32\drivers\SbCtri.exe
2009-01-21 08:41 . 2009-01-19 08:44 715,776 --------- c:\windows\system32\drivers\trz1.tmp
2009-01-19 11:58 . 2009-01-19 11:58 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-19 11:57 . 2009-01-19 11:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 11:57 . 2009-01-19 11:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 11:57 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 11:57 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 11:27 . 2009-01-19 11:27 1,409 --a------ c:\windows\system32\tmpE1028.FOT
2009-01-19 11:27 . 2009-01-19 11:27 1,409 --a------ c:\windows\system32\tmp54428.FOT
2009-01-19 09:48 . 2009-01-19 09:48 1,409 --a------ c:\windows\system32\tmpCD9A0.FOT
2009-01-19 09:48 . 2009-01-19 09:48 1,409 --a------ c:\windows\system32\tmp039A0.FOT
2009-01-19 09:22 . 2009-01-19 09:22 1,409 --a------ c:\windows\system32\tmpE41B0.FOT
2009-01-19 09:22 . 2009-01-19 09:22 1,409 --a------ c:\windows\system32\tmp333B0.FOT
2009-01-19 08:43 . 2009-01-19 08:43 1,409 --a------ c:\windows\system32\tmpA66D0.FOT
2008-12-31 10:32 . 2008-12-31 10:32 1,409 --a------ c:\windows\system32\tmpFC3D5.FOT
2008-12-31 10:32 . 2008-12-31 10:32 1,409 --a------ c:\windows\system32\tmpD14D5.FOT
2008-12-27 08:38 . 2008-12-27 08:38 1,409 --a------ c:\windows\system32\tmp6A801.FOT
2008-12-27 08:38 . 2008-12-27 08:38 1,409 --a------ c:\windows\system32\tmp2A601.FOT
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 07:43 --------- d-----w c:\documents and settings\user\Application Data\Skype
2009-01-21 07:42 --------- d-----w c:\documents and settings\user\Application Data\OpenOffice.org2
2009-01-19 11:41 --------- d-----w c:\program files\CCLEANER
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-11-21 13:52 --------- d-----w c:\program files\TeamViewer3
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-04-03 08:04 14,290 ----a-w c:\program files\settings.dat
2007-07-10 08:40 114 -c--a-w c:\program files\plugin.ini
2004-10-05 15:12 138,430 -c--a-w c:\program files\Readme.rtf
.
((((((((((((((((((((((((((((( snapshot@2009-01-19_13.28.12.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 07:40:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_560.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-09-13 22880040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-22 184320]
"RestoreIT!"="c:\program files\Phoenix Technologies Ltd\RecoverPro_XP\VBPTASK.EXE" [2004-05-27 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-09-14 249927]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"RTHDCPL"="RTHDCPL.EXE" [2005-03-23 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2005-08-02 c:\windows\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-03 113664]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0oodbs
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\3d max\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-04-14 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2006-04-14 179482]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R3 SMBus_2k;SMBus_2k;c:\windows\system32\drivers\SMBus_2k.sys [2006-04-04 14208]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-02 20560]
R4 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-04-14 5088]
R4 HDDFC;Hard Disk Noise Control;c:\program files\Fujitsu Siemens\Hard Disk Noise Control\HDDFC.exe [2005-03-22 155745]
R4 Service Controler;Service Controler;c:\windows\system32\drivers\SbCtri.exe [2009-01-21 720896]
R4 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Host.exe [2008-03-12 181544]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SERVICE_CONTROLER
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {11E41D21-F58E-4956-938C-41741B79A8A7} = 192.168.0.11,91.150.90.2,91.150.90.3
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ltag9nch.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-01-21 08:50:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-21 8:52:12
ComboFix-quarantined-files.txt 2009-01-21 07:52:06
ComboFix2.txt 2009-01-19 12:29:35
Pre-Run: 10,841,579,520 bytes free
Post-Run: 10,823,143,424 bytes free
202 --- E O F --- 2009-01-14 15:04:03
|
|
|
|
Poslao: 21 Jan 2009 17:53
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8620
- Gde živiš: Novi Beograd
|
Zdravo,
kopiraj mi sadrzaj sledeceg fajla ovde na forum:
C:\Qoobox\ComboFix-quarantined-files.txt
|
|
|
|