MyCity » Ambulanta -> Arhiva Ambulante » [bobby] Dali je trojan u pitanju?

[bobby] Dali je trojan u pitanju?

Napisano na dan: 16.3.2009

[bobby] Dali je trojan u pitanju?

Sledeća strana

Pagination

Odgovori

Antares56 Poslao: 16 Mar 2009 17:00 Idi na vrh
offline Antares56 Građanin Pridružio: 16 Mar 2009 Poruke: 147	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:18:00 PM, on 03/16/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\slmdmsr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Analog Devices\SoundMAX\smax4.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe C:\Program Files\Babylon\Babylon-Pro\Babylon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe D:\Nasa Dokumenta\Nasi programi\programi4\opera963en\op.com C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Administrator\Desktop\sasa\TR3.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\system32\Sys\iexplore.exe O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [Magic Tree] C:\Documents and Settings\Administrator\Desktop\MagicTree.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: DSLMON.lnk = ? O8 - Extra context menu item: Add to Google Photos Screensa&ver - [Link mogu videti samo ulogovani korisnici]\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Convert link target to Adobe PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - [Link mogu videti samo ulogovani korisnici]\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Translate with &Babylon - [Link mogu videti samo ulogovani korisnici]\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} (NetSeTManager Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} (SetPinManager Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} (PINManager Class) - [Link mogu videti samo ulogovani korisnici] O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: Google Update Service (gupdate1c987cfe9a5fc93) (gupdate1c987cfe9a5fc93) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe -- End of file - 9223 bytes Problem je u sledecem. Kad sam konektovan na net ni jedan player ne moze da mi pusti muziku. Npr. Windows Media Player mi izbaci sledecu poruku: "Windows Media Player cannot play the file because there is a problem with your sound device. There may not be a sound device installed on your computer, it may be in use by another program, or it may not be functioning properly." Kad restartujem racunar i iskljucim modem (imam kablovski internet 1Mb/s) sve bude u redu, ali cim se ponovo konektujem na net isti problem se ponovo javi. Proverio sam u Device Manageru drajveri su u redu. Sumnjam da je mozda neki trojanac upao. Dopuna: 16 Mar 2009 17:00

Profil

bobby Poslao: 16 Mar 2009 18:42 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Skini ComboFix sa jedne od sledecih adresa na Desktop: [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Profil

Antares56 Poslao: 16 Mar 2009 19:06 Idi na vrh
offline Antares56 Građanin Pridružio: 16 Mar 2009 Poruke: 147	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pozdrav Bobby, uradio sam kako si mi objasnio. ComboFix 09-03-15.01 - Administrator 2009-03-16 18:54:06.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.169 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition On-access scanning disabled (Updated) AV: ESET NOD32 antivirus system 2.70 On-access scanning enabled (Updated) FW: ActiveArmor Firewall disabled FW: Norton Internet Worm Protection disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\dbfb.dll . ((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 ))))))))))))))))))))))))))))))) . 2009-03-12 00:31 . 2009-03-12 00:31 <DIR> d-------- c:\windows\system32\IOSUBSYS 2009-03-04 15:50 . 2009-03-04 15:50 <DIR> d-------- c:\program files\AstroWorldSuite 2009-02-18 22:52 . 2009-02-18 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PCF-VLC 2009-02-18 21:55 . 2009-02-18 21:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation 2009-02-18 21:39 . 2009-02-18 21:39 <DIR> d-------- c:\program files\Readon Technology . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-16 17:22 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon 2009-03-16 15:33 --------- d-----w c:\program files\uTorrent 2009-03-16 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-11 23:30 --------- d-----w c:\program files\Google 2009-03-11 16:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype 2009-03-11 15:01 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM 2009-03-04 19:57 --------- d-----w c:\program files\Common Files\AstroWorld Shared 2009-02-09 12:53 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys 2009-02-09 12:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel 2009-01-16 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2009-01-16 19:38 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss 2009-01-16 19:28 --------- d-----w c:\program files\VideoLAN 2007-12-15 18:08 88 --sh--r c:\windows\system32\185D9C45D3.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-14 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848] "pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 499712] "Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-03-10 3551456] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ACDV"= ACDV.dll "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2006-08-04 11:00 462336 c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "RichVideo"=2 (0x2) "ose"=3 (0x3) "NOD32krn"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-07-20 15424] S2 gupdate1c987cfe9a5fc93;Google Update Service (gupdate1c987cfe9a5fc93);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb2b8ee-20ed-11dc-b6e4-806d6172696f}] \Shell\AutoRun\command - E:\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-03-16 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 21:22] 2009-03-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 21:25] 2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-688789844-725345543-500.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-14 12:27] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Magic Tree - c:\documents and settings\Administrator\Desktop\MagicTree.exe MSConfigStartUp-ares - c:\program files\Ares\Ares.exe MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe MSConfigStartUp-PoivY - c:\program files\PoivY.com\PoivY\PoivY.exe MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe MSConfigStartUp-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici] IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm LSP: c:\windows\system32\imon.dll DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - [Link mogu videti samo ulogovani korisnici] DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - [Link mogu videti samo ulogovani korisnici] DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - [Link mogu videti samo ulogovani korisnici] DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - [Link mogu videti samo ulogovani korisnici] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2009-03-16 18:55:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(944) c:\windows\system32\imon.dll . Completion time: 2009-03-16 18:56:28 ComboFix-quarantined-files.txt 2009-03-16 17:56:23 Pre-Run: 71,725,531,136 bytes free Post-Run: 71,864,741,888 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer 160 --- E O F --- 2007-07-12 21:55:16

Profil

bobby Poslao: 16 Mar 2009 19:51 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Kazi mi kakva je sada situacija? Na sistemu ima ostataka NOD32 antivirusa i njih cemo sada da otklonimo: Otvoriti Notepad i iskopirati sledeci tekst: `File:: c:\windows\system32\drivers\nod32drv.sys c:\windows\system32\imon.dll Folder:: c:\program files\Eset\ Driver:: nod32drv` Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

Antares56 Poslao: 16 Mar 2009 21:31 Idi na vrh
offline Antares56 Građanin Pridružio: 16 Mar 2009 Poruke: 147	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uradio sam tacno kako si mi napisao, napravio txt dokument i prevukao u combofix ali mi je nakon restartovanja (racunar se sam restartovao u toku skeniranja) ponovo prijavio da mi je nod32 aktivan i da bih trebao da ga iskljucim pre nego sto nastavim da skeniram. ComboFix 09-03-15.01 - Administrator 2009-03-16 21:14:49.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.104 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: Avira AntiVir PersonalEdition On-access scanning disabled (Updated) AV: ESET NOD32 antivirus system 2.70 On-access scanning enabled (Updated) FW: ActiveArmor Firewall disabled FW: Norton Internet Worm Protection disabled * Created a new restore point FILE :: c:\windows\system32\drivers\nod32drv.sys c:\windows\system32\imon.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\nod32drv.sys c:\windows\system32\imon.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NOD32DRV -------\Service_nod32drv ((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 ))))))))))))))))))))))))))))))) . 2009-03-12 00:31 . 2009-03-12 00:31 <DIR> d-------- c:\windows\system32\IOSUBSYS 2009-03-04 15:50 . 2009-03-04 15:50 <DIR> d-------- c:\program files\AstroWorldSuite 2009-02-18 22:52 . 2009-02-18 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PCF-VLC 2009-02-18 21:55 . 2009-02-18 21:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation 2009-02-18 21:39 . 2009-02-18 21:39 <DIR> d-------- c:\program files\Readon Technology . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-16 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon 2009-03-16 15:33 --------- d-----w c:\program files\uTorrent 2009-03-16 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-03-11 23:30 --------- d-----w c:\program files\Google 2009-03-11 16:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype 2009-03-11 15:01 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM 2009-03-04 19:57 --------- d-----w c:\program files\Common Files\AstroWorld Shared 2009-02-09 12:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel 2009-01-16 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles 2009-01-16 19:38 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss 2009-01-16 19:28 --------- d-----w c:\program files\VideoLAN 2007-12-15 18:08 88 --sh--r c:\windows\system32\185D9C45D3.sys . ((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2009-03-16 20:18:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_238.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360] "Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-14 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848] "pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 499712] "Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-03-10 3551456] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ACDV"= ACDV.dll "msacm.divxa32"= msaud32_divx.acm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2006-08-04 11:00 462336 c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "RichVideo"=2 (0x2) "ose"=3 (0x3) "NOD32krn"=2 (0x2) "Macromedia Licensing Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= S2 gupdate1c987cfe9a5fc93;Google Update Service (gupdate1c987cfe9a5fc93);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104] S4 LMIRfsClientNP;LMIRfsClientNP; [x] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb2b8ee-20ed-11dc-b6e4-806d6172696f}] \Shell\AutoRun\command - E:\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-03-16 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 21:22] 2009-03-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 21:25] 2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-688789844-725345543-500.job - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-14 12:27] . . ------- Supplementary Scan ------- . uStart Page = [Link mogu videti samo ulogovani korisnici] uSearchURL,(Default) = [Link mogu videti samo ulogovani korisnici] IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - [Link mogu videti samo ulogovani korisnici] DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - [Link mogu videti samo ulogovani korisnici] DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - [Link mogu videti samo ulogovani korisnici] DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - [Link mogu videti samo ulogovani korisnici] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2009-03-16 21:19:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\slmdmsr.exe c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe c:\windows\system32\rundll32.exe c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe . ************************************************************************ . Completion time: 2009-03-16 21:22:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-16 20:22:22 ComboFix2.txt 2009-03-16 17:56:30 Pre-Run: 71,871,741,952 bytes free Post-Run: 71,796,903,936 bytes free 166 --- E O F --- 2007-07-12 21:55:16

Profil

bobby Poslao: 16 Mar 2009 21:52 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Log je sada cist. Za poruku o NODu ne brini, upravo smo ga uklonili. Ostaje nam jos samo da deinstaliramo ComboFix: Klikni START a zatim RUN U liniju za unos teksta ukucaj Combofix /u i klikni OK Sačekaj da se proces deinstalacije završi Gornja procedura će: Obrisati sledeće: ComboFix i njegove file-ove i foldere VundoFix Backups folder, ako postoji C:\Deckard folder, ako postoji C:\OtMoveIt folder, ako postoji Resetovati podešavanja sata na kompjuteru Sakriti ekstenzije file-ova, ako je potrebno Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno Resetovati System Restore

Profil

Antares56 Poslao: 16 Mar 2009 22:26 Idi na vrh
offline Antares56 Građanin Pridružio: 16 Mar 2009 Poruke: 147	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Ok, deinstalirao sam combofix! Znaci malware nije ni postojao? Jedino sto su ostali repovi od noda nakon deinstaliranja. Hvala puno na pomoci!

Profil

bobby Poslao: 16 Mar 2009 22:31 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Imao je trojanac, i ComboFix ga je obrisao pri prvom pokretanju.

Profil

Antares56 Poslao: 16 Mar 2009 22:43 Idi na vrh
offline Antares56 Građanin Pridružio: 16 Mar 2009 Poruke: 147	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Inace sam nod32 deinstalirao pre mozda godinu dana. Nisam ni znao da su na racunaru bili repovi. Hvala jos jednom! Dopuna: 16 Mar 2009 22:43 Jos jedno pitanje! Jel dovoljno samo da izbrisem HijackThis sa desktopa ili treba i da se deinstalira nesto?

Profil

bobby Poslao: 17 Mar 2009 04:33 Idi na vrh
offline bobby Administrator Pridružio: 04 Sep 2003 Poruke: 24135 Gde živiš: Wien	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Pogledaj da li ga ima u Add/Remove programs pa deinstaliraj odatle. Ako ga nema onda je dovoljno obrisati ga rucno.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » [bobby] Dali je trojan u pitanju?

Ko je trenutno na forumu

Ukupno su 966 korisnika na forumu :: 91 registrovanih, 5 sakrivenih i 870 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: Azzo, Bacac, bbogdan, Belac91, Bickoooo, bobomicek, bojankrstc, Bokiboks, Boris90, bpvl, Bubimir, bufanje, cemix, Cirkon, comandos98, Denaya, Djokislav, Djuro2000, Doc, dragoljub11987, DrMrPr, dusan.l, eagle.rs, Electron, EXIT78, Frunze, Georgius, glados, gomago, goran.vvv, Hardenberg, Haris, interesujeme, ivan1973, Jakonjveliki, jodzula, JOntra, Kd31, Kobrim, kolle.the.kid, Kubovac, lazicdb, LEGIJA.007, ljs, ljubo70, M74AB3, Manjane, micke83, mile33, milenko crazy north, milutin134, Mitch22, mix1, MK10, monomah, Myamoto Musashi, nebkv, nelezele, nikola013, Nikoladoktor, nnovakis, Nobunaga, ObelixSRB, operniki, Piicoki, probisic, RajkoB, ruma, saki80, saputnik plavetnila, sasa87, sevenino, Skakac7, sova72, Srpska zauvjek, synergia, TBoy, Token, tom, tuja, vathra, Velizar Laro, vlad the impaler, Vlada1389, Vrač, Yellow Pinky, yiyi, zdrebac, zokizemun, šumar bk2, Đurđevdan

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by