win32/agent

2

win32/agent

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

ComboFix 09-03-01.01 - bojana 2009-03-03 7:04:43.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.256.46 [GMT 1:00]
Running from: c:\documents and settings\bojana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bojana\Desktop\CFScript.txt
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: F-Secure Anti-Virus Client Security 5.55 *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\rest.exe
c:\windows\system\wmibus.exe.vir
c:\windows\system32\ni.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\rest.exe
c:\windows\system\wmibus.exe.vir
c:\windows\system32\ni.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WMIBUS
-------\Service_WMIBUS


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-02-28 15:12 . 2009-02-28 15:12 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\bojana\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 14:19 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 14:17 . 2009-02-28 14:17 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-27 19:08 . 2009-03-02 06:22 <DIR> d-------- C:\USBNoRisk
2009-02-27 09:58 . 2009-03-02 13:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 09:58 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-02-27 09:58 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-02-27 09:58 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-02-27 09:58 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-02-27 09:58 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-02-27 09:57 . 2009-02-27 10:11 <DIR> d-------- c:\program files\Trojan Remover
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\bojana\Application Data\Simply Super Software
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a------ c:\windows\system32\drivers\fetnd5.sys
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a--c--- c:\windows\system32\dllcache\fetnd5.sys
2009-02-26 12:23 . 2009-02-26 12:23 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 05:09 --------- d-----w c:\program files\ESET
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_16.14.07.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-03 06:10:23 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2006-09-02 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="c:\progra~1\samsung\smarthru\PORTCTRL.EXE" [2004-02-09 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-05-31 921600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-15 1214856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-12-15 10:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RZZO\\Apoteka 2.1\\Obrada Recepata.exe"=

S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-03-18 9344]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bojana\Application Data\Mozilla\Firefox\Profiles\9wde14uz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-03 07:10:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-03 7:16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 06:16:10
ComboFix2.txt 2009-03-02 15:16:10
ComboFix3.txt 2009-02-28 15:36:58

Pre-Run: 2,842,288,128 bytes free
Post-Run: 2,799,714,304 bytes free

139

Dopuna: 03 Mar 2009 7:26

Ovaj racunar nema ukljucen firewall jer se na njemu nalazi sql server sa bazom koju koriste jos nekoliko racunara. Probao sam da ukljucim firewall i onda se javlja problem, aplikacije koje koriste sql bazu nerade, ustvari konekcija na bazu neradi a i u uputstvu jkoje sam dobo kazu da se firewall iskljuci.
Nije skidano nista, samo e -posta.
Za sada je ovo ok sto smo odradili, bicemo na vezi.Pozdrav i hvala jos jednom.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Ako je nebranjen kompjuter, mogli ste barem da stavite SP3 i da radite redovan update Windowsa.


Pitao sam bio sa desktop - ima li neka animacija na desktopu ili ne?
Vidim da je aktivan program koji pokrece animirane (flash) desktop pozadine. Animirana pozadina moze da bude maliciozna, zato bih molio za odgovor na ovo pitanje.

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

Nema, obicna slika je na poyadini

Dopuna: 03 Mar 2009 10:09

definitivno cemo staviti update na on, i sp3

Dopuna: 03 Mar 2009 10:26

...........pozdrav

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Idi na Start > Run, pa u dijalogu kucaj msconfig i klikni OK.

Na Startup kartici iskljuci sledece NCLaunch program.

Za taj program imam informaciju da sluzi za pokretanje flash fajlova kao desktop pozadine.
Javi mi ako ispadne da sluzi u stvari za nesto drugo.

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

uradio sam i to pa cemo videti

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Video sam tvoju poruku u drugoj temi.
Kazi mi da li je mreza nestala u toku naseg ciscenja, nakon ili eventualno pre?

Pokreni jos jednom ComboFix, on automatski popravlja puno toga oko mreze.
Postavi mi log ovde.

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

ComboFix 09-03-02.02 - bojana 2009-03-03 16:27:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.256.67 [GMT 1:00]
Running from: c:\documents and settings\bojana\Desktop\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
AV: F-Secure Anti-Virus Client Security 5.55 *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013

.
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 10:01 . 2009-03-03 10:01 527,872 --a------ c:\windows\system32\dq.exe
2009-03-03 09:24 . 2009-03-03 10:01 527,872 -r-hs---- c:\windows\system\wmibus.exe
2009-03-03 09:23 . 2009-03-03 09:24 527,872 --a------ c:\windows\system32\ni.exe
2009-02-28 15:12 . 2009-02-28 15:12 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\bojana\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-28 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 14:19 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-28 14:19 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 14:17 . 2009-02-28 14:17 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-27 19:08 . 2009-03-03 16:22 <DIR> d-------- C:\USBNoRisk
2009-02-27 09:58 . 2009-03-02 13:38 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 09:58 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-02-27 09:58 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-02-27 09:58 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-02-27 09:58 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-02-27 09:58 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-02-27 09:57 . 2009-02-27 10:11 <DIR> d-------- c:\program files\Trojan Remover
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\bojana\Application Data\Simply Super Software
2009-02-27 09:57 . 2009-02-27 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a------ c:\windows\system32\drivers\fetnd5.sys
2009-02-27 09:39 . 2001-08-17 12:13 27,165 --a--c--- c:\windows\system32\dllcache\fetnd5.sys
2009-02-26 12:23 . 2009-02-26 12:23 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 05:09 --------- d-----w c:\program files\ESET
2006-10-11 08:04 61,036 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 48,742 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 29,313 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 41,082 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 166,510 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GW Port Controller"="c:\progra~1\samsung\smarthru\PORTCTRL.EXE" [2004-02-09 163840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2006-05-31 921600]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-15 1214856]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-12-15 10:18 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
--a------ 2006-09-02 11:29 40960 c:\windows\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RZZO\\Apoteka 2.1\\Obrada Recepata.exe"=

S2 WMIBUS;WMI Bus Database;c:\windows\system\wmibus.exe [2009-03-03 527872]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-03-18 9344]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WMIBUS
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\bojana\Application Data\Mozilla\Firefox\Profiles\9wde14uz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-03-03 16:30:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\imon.dll
.
Completion time: 2009-03-03 16:33:40
ComboFix-quarantined-files.txt 2009-03-03 15:33:32
ComboFix2.txt 2009-03-03 06:16:22

Pre-Run: 2,890,215,424 bytes free
Post-Run: 2,882,768,896 bytes free

120

Dopuna: 03 Mar 2009 19:20

trojan remover mi cesto prokaze da postoji problem u wmibus.exe

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Molim te, odgovori mi na pitanje o tome kada je prestala da radi mreza.

Dalje, ako na inficiranom kompu nemas mrezu, jesi li log prebacio nekim USB stickom?

Racunar je ponovo inficiran apsolutno istom infekcijom.
Ovo necemo uspeti da resimo sve dok ne utvrdimo kako infekcija stize na racunar.
Postoji li neki sajt koji redovno posecujes?

offline
  • Pridružio: 28 Feb 2009
  • Poruke: 46

evo ovako, mreza radi ali internet ponekad neradi(adsl ruter je nakacen na svic). Na tom racunaru se uglavnom otvara el posta i to na gmail-u. USB pre nego sto ubodem u bilo koji komp ocistim bitdefenderom. Kada izvucem usb iz tok racunara bit nenadje infekciju. Nod32 koji je na tom racunaru ne pokazuje da ima infekciju racunar ali trojan remover pronadje wmibus.exe kao inficiran fajl. Malo pre sam racunar raskacio sa svica jer je moguce da zaraza prelazi sa nekih drugih racunara u toj mrezi!?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

Ko je trenutno na forumu
 

Ukupno su 775 korisnika na forumu :: 7 registrovanih, 1 sakriven i 767 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Bobrock1, Boris90, Dorcolac, koom0001, sevenino, 2001