[bobby] Dali je trojan u pitanju?

1

[bobby] Dali je trojan u pitanju?

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:00 PM, on 03/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Nasa Dokumenta\Nasi programi\programi4\opera963en\op.com
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\sasa\TR3.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\system32\Sys\iexplore.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Magic Tree] C:\Documents and Settings\Administrator\Desktop\MagicTree.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - lovefm.miemasu.net:60002/kxhcm10.ocx
O16 - DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} (NetSeTManager Class) - secure.bancaintesabeograd.com/Pages/Downlo.....PlugIn.cab
O16 - DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} (SetPinManager Class) - secure.bancaintesabeograd.com/Pages/Downlo.....Plugin.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - news.beograd.com/AxisCamControl.ocx
O16 - DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} (PINManager Class) - secure.bancaintesabeograd.com/Pages/Downlo.....Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c987cfe9a5fc93) (gupdate1c987cfe9a5fc93) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 9223 bytes

Problem je u sledecem. Kad sam konektovan na net ni jedan player ne moze da mi pusti muziku. Npr. Windows Media Player mi izbaci sledecu poruku: "Windows Media Player cannot play the file because there is a problem with your sound device. There may not be a sound device installed on your computer, it may be in use by another program, or it may not be functioning properly."
Kad restartujem racunar i iskljucim modem (imam kablovski internet 1Mb/s) sve bude u redu, ali cim se ponovo konektujem na net isti problem se ponovo javi. Proverio sam u Device Manageru drajveri su u redu. Sumnjam da je mozda neki trojanac upao.

Dopuna: 16 Mar 2009 17:00



offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Pozdrav Bobby, uradio sam kako si mi objasnio.

ComboFix 09-03-15.01 - Administrator 2009-03-16 18:54:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.169 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
FW: ActiveArmor Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dbfb.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-12 00:31 . 2009-03-12 00:31 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-03-04 15:50 . 2009-03-04 15:50 <DIR> d-------- c:\program files\AstroWorldSuite
2009-02-18 22:52 . 2009-02-18 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PCF-VLC
2009-02-18 21:55 . 2009-02-18 21:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation
2009-02-18 21:39 . 2009-02-18 21:39 <DIR> d-------- c:\program files\Readon Technology

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 17:22 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-03-16 15:33 --------- d-----w c:\program files\uTorrent
2009-03-16 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-11 23:30 --------- d-----w c:\program files\Google
2009-03-11 16:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-03-11 15:01 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-03-04 19:57 --------- d-----w c:\program files\Common Files\AstroWorld Shared
2009-02-09 12:53 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-02-09 12:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel
2009-01-16 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-16 19:38 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-16 19:28 --------- d-----w c:\program files\VideoLAN
2007-12-15 18:08 88 --sh--r c:\windows\system32\185D9C45D3.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 499712]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-03-10 3551456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2006-08-04 11:00 462336 c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"NOD32krn"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-07-20 15424]
S2 gupdate1c987cfe9a5fc93;Google Update Service (gupdate1c987cfe9a5fc93);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb2b8ee-20ed-11dc-b6e4-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 21:22]

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 21:25]

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-688789844-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-14 12:27]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Magic Tree - c:\documents and settings\Administrator\Desktop\MagicTree.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-nod32kui - c:\program files\Eset\nod32kui.exe
MSConfigStartUp-PoivY - c:\program files\PoivY.com\PoivY\PoivY.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
MSConfigStartUp-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
LSP: c:\windows\system32\imon.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://lovefm.miemasu.net:60002/kxhcm10.ocx
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-16 18:55:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\imon.dll
.
Completion time: 2009-03-16 18:56:28
ComboFix-quarantined-files.txt 2009-03-16 17:56:23

Pre-Run: 71,725,531,136 bytes free
Post-Run: 71,864,741,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

160 --- E O F --- 2007-07-12 21:55:16

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Kazi mi kakva je sada situacija?

Na sistemu ima ostataka NOD32 antivirusa i njih cemo sada da otklonimo:
Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\nod32drv.sys
c:\windows\system32\imon.dll

Folder::
c:\program files\Eset\

Driver::
nod32drv


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Uradio sam tacno kako si mi napisao, napravio txt dokument i prevukao u combofix ali mi je nakon restartovanja (racunar se sam restartovao u toku skeniranja) ponovo prijavio da mi je nod32 aktivan i da bih trebao da ga iskljucim pre nego sto nastavim da skeniram.

ComboFix 09-03-15.01 - Administrator 2009-03-16 21:14:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.104 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
FW: ActiveArmor Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\nod32drv.sys
c:\windows\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\nod32drv.sys
c:\windows\system32\imon.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOD32DRV
-------\Service_nod32drv


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-12 00:31 . 2009-03-12 00:31 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-03-04 15:50 . 2009-03-04 15:50 <DIR> d-------- c:\program files\AstroWorldSuite
2009-02-18 22:52 . 2009-02-18 22:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PCF-VLC
2009-02-18 21:55 . 2009-02-18 21:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Participatory Culture Foundation
2009-02-18 21:39 . 2009-02-18 21:39 <DIR> d-------- c:\program files\Readon Technology

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-16 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-03-16 15:33 --------- d-----w c:\program files\uTorrent
2009-03-16 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-11 23:30 --------- d-----w c:\program files\Google
2009-03-11 16:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-03-11 15:01 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-03-04 19:57 --------- d-----w c:\program files\Common Files\AstroWorld Shared
2009-02-09 12:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel
2009-01-16 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-16 19:38 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-01-16 19:28 --------- d-----w c:\program files\VideoLAN
2007-12-15 18:08 88 --sh--r c:\windows\system32\185D9C45D3.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-16_18.55.30.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-16 20:18:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_238.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 499712]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-03-10 3551456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2006-08-04 11:00 462336 c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 06:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"NOD32krn"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 gupdate1c987cfe9a5fc93;Google Update Service (gupdate1c987cfe9a5fc93);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebb2b8ee-20ed-11dc-b6e4-806d6172696f}]
\Shell\AutoRun\command - E:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 21:22]

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 21:25]

2009-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-688789844-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-14 12:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://lovefm.miemasu.net:60002/kxhcm10.ocx
DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://secure.bancaintesabeograd.com/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-16 21:19:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\slmdmsr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-03-16 21:22:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 20:22:22
ComboFix2.txt 2009-03-16 17:56:30

Pre-Run: 71,871,741,952 bytes free
Post-Run: 71,796,903,936 bytes free

166 --- E O F --- 2007-07-12 21:55:16

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Log je sada cist. Za poruku o NODu ne brini, upravo smo ga uklonili.
Ostaje nam jos samo da deinstaliramo ComboFix:

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Ok, deinstalirao sam combofix! Znaci malware nije ni postojao? Jedino sto su ostali repovi od noda nakon deinstaliranja.
Hvala puno na pomoci!

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Imao je trojanac, i ComboFix ga je obrisao pri prvom pokretanju.

offline
  • Pridružio: 16 Mar 2009
  • Poruke: 147

Inace sam nod32 deinstalirao pre mozda godinu dana. Nisam ni znao da su na racunaru bili repovi. Hvala jos jednom!

Dopuna: 16 Mar 2009 22:43

Jos jedno pitanje! Jel dovoljno samo da izbrisem HijackThis sa desktopa ili treba i da se deinstalira nesto?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pogledaj da li ga ima u Add/Remove programs pa deinstaliraj odatle.
Ako ga nema onda je dovoljno obrisati ga rucno.

Ko je trenutno na forumu
 

Ukupno su 1021 korisnika na forumu :: 31 registrovanih, 7 sakrivenih i 983 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: anta, bokisha253, bozomotika, Brana01, cavatina, ccoogg123, cenejac111, djuradj, dolinalima, esx66, FileFinder, HogarStrashni, ivan1973, Kibice, KUZMAR, laki_bb, mean_machine, MiG-29M2, mikrimaus, miodrag, Mirage 2000N, nazgul75, raptorsi, Silvertooth, solic, Tila Painen, tmanda323, zillbg, zzapNDjuric99, Čivi, 223223