Pucanje veze

Pucanje veze

offline
  • Pridružio: 02 Jan 2008
  • Poruke: 4

Koristim sezamov adsl 512/64, desava se da mi puca veza, od zastitnih programa koristim nod32, pa pogledajte ovaj log da li imam nesto.
Pozdrav

Logfile of HijackThis v1.99.1
Scan saved at 20:05:22, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\PECA\Desktop\New Folder\TR3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = pecafilm.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A5CA8C0-AAE5-45B5-BEEB-3633E11D50BA}: NameServer = 77.105.0.19 77.105.0.18
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OneStep Search Service - Unknown owner - C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Pokreni HT, skeniraj i čekiraj sledeću liniju:

O23 - Service: OneStep Search Service - Unknown owner - C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service (file missing)

Klikni Fix Checked.


-------------------------------------------------------------------------------------


Skini ComboFix sa jedne od sledecih adresa:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log koji ces nam ovde iskopirati.

offline
  • Pridružio: 02 Jan 2008
  • Poruke: 4

Pozdrav dr_Bora, izvini sto ti tek sad odgovaram, ovo ne znam sam da uradim pa sam cekao drugara da dodje on.

Evo saljem ti log od Combo Fix-a, onu liniju u HT sam obrisao.


ComboFix 08-01-17.1 - PECA 2008-01-16 21:55:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.245 [GMT 1:00]
Running from: C:\Documents and Settings\PECA\Desktop\New Folder (2)\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Microsoft Security Adviser
C:\Program Files\Microsoft Security Adviser\mssadv.exe
C:\WINDOWS\msettings.ini
C:\WINDOWS\mssadv.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 21:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 21:15 . 2008-01-02 21:16 <DIR> d-------- C:\Program Files\Mv2Player
2007-12-29 22:18 . 2007-12-29 22:18 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-17 13:19 . 2007-12-17 13:19 <DIR> d-------- C:\Program Files\SAGEM
2007-12-17 13:19 . 2007-12-17 13:19 <DIR> d-------- C:\Documents and Settings\PECA\Application Data\InstallShield
2007-12-17 13:13 . 2007-02-13 16:19 194,128 --a------ C:\WINDOWS\adiras.exe
2007-12-17 13:13 . 2006-02-15 10:15 176,128 --a------ C:\WINDOWS\autoclk.exe
2007-12-17 13:13 . 2007-12-17 13:20 990 --a------ C:\WINDOWS\adiras.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 20:49 --------- d-----w C:\Documents and Settings\PECA\Application Data\uTorrent
2007-12-25 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 12:20 32 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-17 12:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 12:18 --------- d-----w C:\Program Files\TI ADSL
2007-12-10 19:53 --------- d-----w C:\Program Files\FDRLab
2007-12-08 11:22 --------- d-----w C:\Program Files\uTorrent
2007-12-02 08:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-26 20:16 502,208 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-11-26 20:16 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-11-26 19:38 --------- d-----w C:\Program Files\Total Video Converter
2007-11-26 19:36 --------- d-----w C:\Program Files\Yahoo!
2007-11-26 19:36 --------- d-----w C:\Program Files\FLV Player
2007-11-26 19:25 --------- d-----w C:\Program Files\EcrTool_SR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-07 20:36 77824]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-26 21:16 917504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2006-06-10 13:10:44]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-17 13:20:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2007-01-04 13:48]
S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2007-01-04 13:47]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 02:07]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 02:07]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 09:47]
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 16:44]
S3 TIAu5Bt;Actiontec Home DSL Modem Boot Device Service;C:\WINDOWS\system32\Drivers\tiau5bt.sys []
S3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys []
S4 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service []

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-14 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 08:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 13:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 19:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-15 03:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 04:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\2K5PTFbw.exe

"2008-01-16 06:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
"2008-01-16 07:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\2K5PTFbw.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-01-17 21:57:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 21:57:55
ComboFix-quarantined-files.txt 2008-01-17 20:57:41



Verovatno cu sledeci korak opet za koji dan da uradim kad mi dodje drugar.

Pozdrav Korenko

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\autoclk.exe
C:\WINDOWS\system32\2K5PTFbw.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Folder::
C:\Program Files\OneStepSearch

Driver::
OneStep Search Service


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 02 Jan 2008
  • Poruke: 4

Pozdrav Dr bora,

evo preko telefona smo drugar i ja ovo radili i nadam se da je uspelo.

ComboFix 08-01-17.1 - PECA 2008-01-20 0:22:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 1:00]
Running from: C:\Documents and Settings\PECA\Desktop\New Folder (2)\ComboFix.exe
Command switches used :: C:\Documents and Settings\PECA\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\autoclk.exe
C:\WINDOWS\system32\2K5PTFbw.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OneStepSearch
C:\Program Files\OneStepSearch\home.js
C:\Program Files\OneStepSearch\onestep.dll
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\OneStepSearch\osopt.exe
C:\Program Files\OneStepSearch\readme.html
C:\Program Files\OneStepSearch\uninstall.exe
C:\WINDOWS\autoclk.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ONESTEP_SEARCH_SERVICE
-------\OneStep Search Service


((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 17:29 . 2008-01-18 17:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 17:29 . 2008-01-18 17:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-16 21:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 21:15 . 2008-01-02 21:16 <DIR> d-------- C:\Program Files\Mv2Player
2007-12-29 22:18 . 2007-12-29 22:18 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 23:14 --------- d-----w C:\Documents and Settings\PECA\Application Data\uTorrent
2007-12-25 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 12:20 32 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-12-17 12:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-17 12:19 --------- d-----w C:\Program Files\SAGEM
2007-12-17 12:19 --------- d-----w C:\Documents and Settings\PECA\Application Data\InstallShield
2007-12-17 12:18 --------- d-----w C:\Program Files\TI ADSL
2007-12-10 19:53 --------- d-----w C:\Program Files\FDRLab
2007-12-08 11:22 --------- d-----w C:\Program Files\uTorrent
2007-12-02 08:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-26 20:16 502,208 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-11-26 20:16 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-11-26 19:38 --------- d-----w C:\Program Files\Total Video Converter
2007-11-26 19:36 --------- d-----w C:\Program Files\Yahoo!
2007-11-26 19:36 --------- d-----w C:\Program Files\FLV Player
2007-11-26 19:25 --------- d-----w C:\Program Files\EcrTool_SR
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_21.57.29.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 20:54:54 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-19 23:21:52 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 20:54:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-19 23:21:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 20:54:54 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-19 23:21:52 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 20:54:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-19 23:21:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 20:54:54 4,096,000 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-19 23:21:52 4,136,960 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 20:54:54 36,864 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-19 23:21:53 36,864 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-01-17 23:14:53 270,336 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-19 23:14:56 3,140,504 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-07 20:36 77824]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-26 21:16 917504]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70001000000}\SC_Reader.exe [2006-06-10 13:10:44]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-12-17 13:20:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2007-01-04 13:48]
S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2007-01-04 13:47]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 02:07]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 02:07]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 09:47]
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 16:44]
S3 TIAu5Bt;Actiontec Home DSL Modem Boot Device Service;C:\WINDOWS\system32\Drivers\tiau5bt.sys []
S3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-01-20 00:25:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 0:27:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 23:27:07
ComboFix2.txt 2008-01-17 20:57:56

Kazi mi sto se tice vremena, pomerio mi je jedan dan unapred da li da ga sad vracam ili jos da cekam kad se sve zavrsi.

Pozdrav

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Log je čist. Reci mi kakvo je sada stanje...

offline
  • Pridružio: 02 Jan 2008
  • Poruke: 4

Sada radi super, da li mogu sada da sat i daum podesim kako treba i da li mogu da sa C particije da obrisem direktorijum ComboFix i hijackthis?
Jos nesto da li je potrebno da sada kada sve radi kako treba, iskljucim system restore i restartujem kompjuter ili ne?
Pozdrav i hvala!!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ko je trenutno na forumu
 

Ukupno su 852 korisnika na forumu :: 8 registrovanih, 2 sakrivenih i 842 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bubimir, Chainsaw, Leonov, nemkea71, sabros, saputnik plavetnila, wizzardone, yrraf