 Poslao: 07 Jan 2010 01:20 |
|
|
|
|
Upravo sam instalirao windows i poceli su da iskacu prozori sa porukom
07.Jan.10 12:46:57 AM Real-time file system protection file C:\WINDOWS\system32\pmnnonl.dll Win32/Adware.Virtumonde application cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: \??\C:\WINDOWS\system32\winlogon.exe.
Ali posle sledeceg restarta opet isto se desava i tako u nedogled stalno izlazi
Evo DDS:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Nebojsa at 0:51:55.67 on 07.Jan.10
Internet Explorer: 6.0.2900.3311
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.647 [GMT 1:00]
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Nebojsa\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: {cf3fc4e8-8132-4d99-b43d-aec175d64e8b} - c:\windows\system32\pmnnonl.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: pmnnonl - pmnnonl.dll
SEH: {cf3fc4e8-8132-4d99-b43d-aec175d64e8b} - c:\windows\system32\pmnnonl.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\nebojsa\applic~1\mozilla\firefox\profiles\n9zc4k0k.default\
FF - prefs.js: browser.startup.homepage - www.google.rs
============= SERVICES / DRIVERS ===============
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition\kerneld.wnt [2010-1-7 23152]
=============== Created Last 30 ================
2010-01-06 23:15:03 0 d-----w- c:\windows\system32\PreInstall
2010-01-06 23:15:01 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-06 23:14:59 0 d--h--w- c:\windows\$hf_mig$
2010-01-06 23:14:22 0 d-----w- c:\program files\The KMPlayer
2010-01-06 23:11:08 0 d-----w- c:\program files\common files\COWON
2010-01-06 23:11:05 0 d-----w- c:\program files\JetAudio
2010-01-06 23:10:09 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-01-06 23:09:47 421888 ----a-w- c:\windows\system32\ac3filter.acm
2010-01-06 23:09:42 0 d-----w- c:\program files\AC3Filter
2010-01-06 23:06:11 0 d-----w- c:\program files\ESET
2010-01-06 23:03:33 0 d-----w- c:\program files\Lavalys
2010-01-06 23:03:12 38912 ----a-w- c:\windows\system32\pmnnonl.dll
2010-01-06 22:53:06 0 d-----w- c:\program files\DivX
2010-01-06 22:52:38 0 d-----w- c:\program files\common files\ODBC
2010-01-06 22:52:33 0 d-----w- c:\program files\common files\SpeechEngines
2010-01-06 22:51:54 0 d-----r- c:\documents and settings\all users\Documents
2010-01-06 22:40:54 0 d-----w- c:\program files\MultiRes
2010-01-06 22:40:21 0 d-----w- c:\program files\Radeon Omega Drivers
2010-01-06 22:29:10 0 d-----w- c:\program files\Realtek Sound Manager
2010-01-06 22:29:10 0 d-----w- c:\program files\AvRack
2010-01-06 22:29:02 0 d-----w- c:\program files\Realtek AC97
2010-01-06 22:15:58 0 d-----w- c:\program files\VIA
2010-01-06 22:06:16 0 d-sh--w- c:\documents and settings\all users\DRM
2010-01-06 22:05:46 0 d--h--w- c:\program files\WindowsUpdate
2010-01-06 22:04:41 0 d-----w- c:\program files\common files\MSSoap
2010-01-06 22:02:12 0 d-----w- c:\program files\Online Services
2010-01-06 22:02:03 0 d-----w- c:\program files\Messenger
2010-01-06 22:01:59 0 d-----w- c:\program files\MSN Gaming Zone
2010-01-06 22:01:13 0 d-----w- c:\program files\Windows NT
==================== Find3M ====================
2010-01-06 22:40:21 451072 ----a-w- c:\windows\Radeon Omega Drivers v3.8.252 Uninstall.exe
2010-01-06 22:02:38 21640 ----a-w- c:\windows\system32\emptyregdb.dat
============= FINISH: 0:53:07.50 ===============
http://www.mycity.rs/Uploads/140613_1666773338_Attach.txt
http://www.mycity.rs/Uploads/140613_1738634612_Gmer1.log
http://www.mycity.rs/Uploads/140613_439986842_Gmer2.log
http://www.mycity.rs/Uploads/140613_1770322648_Gmer3.txt |
|
|
|
|
|
| Poslao: 07 Jan 2010 01:46 |
|
|
|
|
Pozdrav.
Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:
Bleeping Computer
 Kada preuzimanje programa bude završeno:
- deaktiviraj zaštitni softver (uputstvo);
- zatvori pokrenute programe;
- dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:- proveriti postoji li novija verzija programa:
- klikni Yes ako bude ponuđeno preuzimanje iste.
- prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
- klikni Yes kako bi proces bio nastavljen.
- ako Recovery Console nije instalirana, ponuditi instalaciju:
- obavezno prihvati klikom na Yes i isprati postupak.
- postaviti/dati određeni broj upita/obaveštenja:
- prihvati klikom na Yes ili OK.
- po potrebi, restartovati Windows (više puta);
- na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.
Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
- klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
- klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
- klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.
Napomena:- Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
- Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.
|
|
|
|
|
|
| Poslao: 07 Jan 2010 02:13 |
|
|
|
|
----------- Napisano: 07 Jan 2010 2:07 ---------
ComboFix 10-01-04.01 - Nebojsa 07.Jan.10 1:54.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.619 [GMT 1:00]
Running from: c:\documents and settings\Nebojsa\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\pmnnonl.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.
2010-01-06 23:18 . 2010-01-06 23:18 0 ----a-w- c:\windows\nsreg.dat
2010-01-06 23:18 . 2010-01-06 23:18 -------- d-----w- c:\documents and settings\Nebojsa\Local Settings\Application Data\Mozilla
2010-01-06 23:15 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-06 23:14 . 2010-01-06 23:50 -------- d--h--w- c:\windows\$hf_mig$
2010-01-06 23:14 . 2010-01-06 23:16 -------- d-----w- c:\program files\The KMPlayer
2010-01-06 23:13 . 2010-01-06 23:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-06 23:12 . 2010-01-06 23:12 -------- d-----w- c:\program files\Google
2010-01-06 23:12 . 2010-01-06 23:12 -------- d-----w- c:\documents and settings\Nebojsa\Local Settings\Application Data\Google
2010-01-06 23:11 . 2010-01-06 23:11 -------- d-----w- c:\program files\Common Files\COWON
2010-01-06 23:11 . 2010-01-06 23:11 -------- d-----w- c:\program files\JetAudio
2010-01-06 23:10 . 2010-01-06 23:10 -------- d-----w- c:\documents and settings\Nebojsa\Application Data\InstallShield
2010-01-06 23:09 . 2010-01-06 23:09 -------- d-----w- c:\program files\AC3Filter
2010-01-06 23:07 . 2010-01-06 23:07 -------- d-----w- c:\documents and settings\Nebojsa\Local Settings\Application Data\ESET
2010-01-06 23:07 . 2010-01-06 23:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-01-06 23:06 . 2010-01-06 23:06 -------- d-----w- c:\program files\ESET
2010-01-06 23:06 . 2010-01-06 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-01-06 23:03 . 2010-01-06 23:03 -------- d-----w- c:\program files\Lavalys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 23:11 . 2010-01-06 22:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-06 22:53 . 2010-01-06 22:53 -------- d-----w- c:\program files\DivX
2010-01-06 22:41 . 2010-01-06 22:15 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-06 22:41 . 2010-01-06 22:40 -------- d-----w- c:\program files\MultiRes
2010-01-06 22:40 . 2010-01-06 22:40 451072 ----a-w- c:\windows\Radeon Omega Drivers v3.8.252 Uninstall.exe
2010-01-06 22:40 . 2010-01-06 22:40 -------- d-----w- c:\program files\Radeon Omega Drivers
2010-01-06 22:29 . 2010-01-06 22:29 -------- d-----w- c:\program files\Realtek Sound Manager
2010-01-06 22:29 . 2010-01-06 22:29 -------- d-----w- c:\program files\AvRack
2010-01-06 22:29 . 2010-01-06 22:29 -------- d-----w- c:\program files\Realtek AC97
2010-01-06 22:22 . 2010-01-06 22:15 -------- d-----w- c:\program files\VIA
2010-01-06 22:14 . 2010-01-06 22:14 12328 ----a-w- c:\documents and settings\Nebojsa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-06 22:07 . 2010-01-06 22:07 -------- d-----w- c:\program files\microsoft frontpage
2010-01-06 22:06 . 2010-01-06 22:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-06 22:02 . 2010-01-06 22:02 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2004-10-11 589824]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-02-12 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-02-12 53760]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [01.Jul.08 09:04 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [01.Jul.08 09:02 468224]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [07.Jan.10 00:03 23152]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Nebojsa\Application Data\Mozilla\Firefox\Profiles\n9zc4k0k.default\
FF - prefs.js: browser.startup.homepage - www.google.rs
.
- - - - ORPHANS REMOVED - - - -
AddRemove-XPv3.8.252 - c:\windows\Radeon Omega Drivers v3.8.252
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 02:00
Windows 5.1.2600 Service Pack 3, v.3311 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-07 02:03:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 01:03
Pre-Run: 10,474,168,320 bytes free
Post-Run: 10,521,497,600 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - C0E77651B84C23A483FF3E18C6A8DB63
----------- Dopuna: 07 Jan 2010 2:13 ---------
I kazi mi sad mi je nestalo dole u levom uglu ona ikonica sa kojom menjam jezik serbian latin serbian cirilic i englis kako da je vratim? |
|
|
|
|
|
| Poslao: 07 Jan 2010 02:53 |
|
|
|
|
Za ikonicu...
Idi na Start > Control Panel i dvoklik na Regional and Language Options.
Prebaci na karticu Language;
Klikni na Details pa na Add;
Odabereš jezik pa Ok...
Što se tiče infekcije trebalo bi da je sve sada u redu.
Isprati još sledeće...
Potrebno je deinstalirati ComboFix:
- klikni start (ili
 ), a zatim RUN.
Na Visti koristiti Start Search polje ukoliko Run nije dostupan.
- U liniju za unos teksta ukucaj (iskopiraj) sledeće:
- ComboFix /Uninstall
Primeti da postoji razmak između "ComboFix" i "/Uninstall".
- a zatim klikni OK (ili pritisni Enter).
Sačekaj da se proces deinstalacije završi. |
|
|
|
|
|
| Poslao: 07 Jan 2010 03:01 |
|
|
|
|
Vidi nije problem bio u tome sto si napisao nego u tome sto mi je posle skeniranja nestao LANGUAGE BAR ali resio sam u opcijama region i la...... pa kad se udje bilo mi je stiklirano
Systemconfiguracion pa opcija TURN OFF ADVANCED TEXT SERVICES i zbog toga mi je nestao language............. Sad ga imam ponovo a jos jedno pitanje otkud mi taj djavo u kompu????? |
|
|
|
|
|
| Poslao: 07 Jan 2010 03:33 |
|
|
|
|
| nebojsa77ns :: | | ...a jos jedno pitanje otkud mi taj djavo u kompu????? |
Mogu da pretpostavim, ali ne bih da nagađam.
Ono što je bilo maliciozno smo uklonili, tako da smo ovde završili.
Pozdrav. |
|
|
|
|
|
| Poslao: 07 Jan 2010 11:13 |
|
|
|
|
Hvala i tebi na pomoci.
Pozdrav |
|
|
|
|
|
  |
Strana 1 od 1
|
(Registrovanim korisnicima se NE prikazuju reklame)
Ukupno su 66 korisnika na forumu :: 3 Registrovanih, 1 Sakrivenih i 62 Gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije
Najviše korisnika na forumu ikad bilo je 972 - dana 26 Okt 2008 13:06
Korisnici trenutno na forumu: Da vam Bata nešto kaže..., vetox, Žan Klod vam dam |
|
Turista 
