Moguća zaraza, please pogledaj te...

Moguća zaraza, please pogledaj te...

offline
  • Pridružio: 27 Jan 2008
  • Poruke: 35

Ćao,
čini mi se da mi je komp na poslu pod nekom infekcijom. Ad ware 2007 je nešto pronasao...čini mi se da je trojanac.

Evo ga log:

Logfile of HijackThis v1.99.1
Scan saved at 14:53:12, on 28.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logosoft\SmartPOS\SmartPOS Administracija.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Logosoft\SmartPOS\SmartPOS Terminal.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Planeta\Desktop\Hijackthis\veni.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: officexp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - news.beograd.com/AxisCamControl.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

U pravu si. Komp je zarazen.

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 27 Jan 2008
  • Poruke: 35

ComboFix 08-04-29.5 - Planeta 2008-04-30 20:15:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.281 [GMT 2:00]
Running from: C:\Documents and Settings\Planeta\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-29 08:34 . 2008-04-30 08:35 32,256 --a------ C:\WINDOWS\system32\inter32.dll
2008-04-29 08:34 . 2008-04-30 08:35 12,800 --a------ C:\WINDOWS\system32\c_19460.nls
2008-04-29 08:34 . 2008-04-30 08:35 9,728 --a------ C:\WINDOWS\system32\shell64.dll
2008-04-05 08:49 . 2008-04-05 08:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 09:16 . 2008-04-02 09:16 <DIR> d-------- C:\Documents and Settings\Planeta\Application Data\Media Player Classic
2008-04-02 09:13 . 2004-08-04 00:56 80,060 -rahs---- C:\WINDOWS\system32\windfire.exe
2008-04-02 09:13 . 2008-04-30 08:35 80,060 --a------ C:\WINDOWS\system32\nvidia32.exe
2008-04-02 09:13 . 2008-04-02 09:13 80,060 --a------ C:\WINDOWS\system32\c_20462.nls
2008-04-02 09:13 . 2008-04-30 08:35 80,060 --a------ C:\WINDOWS\system32\c_10810.nls
2008-03-31 17:49 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-28 19:37 . 2008-03-28 19:37 <DIR> d-------- C:\Program Files\iTunes
2008-03-28 19:37 . 2008-03-28 19:37 <DIR> d-------- C:\Program Files\iPod
2008-03-28 19:37 . 2008-03-28 19:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-28 19:37 . 2008-03-28 19:37 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 19:36 . 2008-03-28 19:36 <DIR> d-------- C:\Program Files\Bonjour
2008-03-28 19:36 . 2008-03-28 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 19:35 . 2008-03-28 19:35 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-28 19:35 . 2008-03-28 19:35 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-28 19:26 . 2008-03-28 20:51 <DIR> d-------- C:\Program Files\QuickTime
2008-03-20 11:57 . 2008-03-20 11:55 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-20 11:57 . 2008-03-20 11:57 2,543 --a------ C:\WINDOWS\unins000.dat
2008-03-20 11:51 . 2008-03-21 09:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 11:51 . 2008-03-21 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 11:03 . 2008-03-20 11:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-20 11:03 . 2008-03-20 11:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 10:04 . 2008-03-20 10:04 <DIR> d--hs---- C:\TrustedAntivirus
2008-03-20 10:03 . 2008-03-20 10:33 <DIR> d-------- C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus
2008-03-20 09:57 . 2008-03-20 09:57 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-20 09:57 . 2004-10-07 14:39 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-20 09:57 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-03-20 09:57 . 2001-03-08 19:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-03-13 19:04 . 2008-03-13 19:04 <DIR> d-------- C:\WINDOWS\Sun
2008-03-13 19:04 . 2008-03-13 19:04 <DIR> d-------- C:\Program Files\Java
2008-03-13 19:04 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-13 19:02 . 2008-03-13 19:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-12 19:49 . 2008-03-12 19:49 <DIR> d-------- C:\Program Files\SopCast
2008-03-12 19:29 . 2008-03-12 19:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-03-12 19:25 . 2008-03-12 19:29 <DIR> d-------- C:\Program Files\TVUPlayer
2008-03-12 19:25 . 2008-03-12 19:25 <DIR> d-------- C:\Documents and Settings\Planeta\Application Data\TVU Networks
2008-03-06 12:18 . 2008-03-06 12:18 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-03-06 12:18 . 2007-11-30 00:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-05 19:44 . 2008-03-28 19:37 <DIR> d-------- C:\Documents and Settings\Planeta\Application Data\Apple Computer
2008-03-05 19:33 . 2008-03-05 19:33 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-05 19:33 . 2008-03-05 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 18:00 --------- d-----w C:\Documents and Settings\Planeta\Application Data\OpenOffice.org2
2008-03-25 18:15 --------- d-----w C:\Program Files\Google
2008-02-21 15:42 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-21 15:42 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-10 12:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 12:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2004-08-03 22:56 80,060 --sha-r C:\WINDOWS\system32\windfire.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 19:15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-01-29 00:16 1228800 C:\WINDOWS\mixer.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-23 02:17 73728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 09:20 372736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 17:42 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Planeta\Start Menu\Programs\Startup\
officexp.exe [2008-04-02 09:13:56 80060]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SMARTPOS;MSSQL$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlservr.exe [2002-12-17 17:26]
S3 SQLAgent$SMARTPOS;SQLAgent$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 11:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-30 20:17:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 20:18:21
ComboFix-quarantined-files.txt 2008-04-30 18:18:10
ComboFix2.txt 2008-03-21 08:04:12

Pre-Run: 9,103,892,480 bytes free
Post-Run: 9,611,096,064 bytes free

125

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


File::
C:\WINDOWS\system32\inter32.dll
C:\WINDOWS\system32\c_19460.nls
C:\WINDOWS\system32\shell64.dll
C:\WINDOWS\system32\c_20462.nls
C:\WINDOWS\system32\c_10810.nls
C:\WINDOWS\system32\windfire.exe
C:\Documents and Settings\Planeta\Start Menu\Programs\Startup\officexp.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 27 Jan 2008
  • Poruke: 35

ComboFix 08-04-29.5 - Planeta 2008-05-02 20:13:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.333 [GMT 2:00]
Running from: C:\Documents and Settings\Planeta\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Planeta\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Planeta\Start Menu\Programs\Startup\officexp.exe
C:\WINDOWS\system32\c_10810.nls
C:\WINDOWS\system32\c_19460.nls
C:\WINDOWS\system32\c_20462.nls
C:\WINDOWS\system32\inter32.dll
C:\WINDOWS\system32\shell64.dll
C:\WINDOWS\system32\windfire.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Planeta\Start Menu\Programs\Startup\officexp.exe
C:\WINDOWS\system32\c_10810.nls
C:\WINDOWS\system32\c_19460.nls
C:\WINDOWS\system32\c_20462.nls
C:\WINDOWS\system32\inter32.dll
C:\WINDOWS\system32\shell64.dll
C:\WINDOWS\system32\windfire.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-05 08:49 . 2008-04-05 08:49 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 09:16 . 2008-04-02 09:16 <DIR> d-------- C:\Documents and Settings\Planeta\Application Data\Media Player Classic
2008-04-02 09:13 . 2008-05-02 07:27 80,060 --a------ C:\WINDOWS\system32\nvidia32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 18:00 --------- d-----w C:\Documents and Settings\Planeta\Application Data\OpenOffice.org2
2008-03-28 18:51 --------- d-----w C:\Program Files\QuickTime
2008-03-28 17:37 --------- d-----w C:\Program Files\iTunes
2008-03-28 17:37 --------- d-----w C:\Program Files\iPod
2008-03-28 17:37 --------- d-----w C:\Documents and Settings\Planeta\Application Data\Apple Computer
2008-03-28 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 17:36 --------- d-----w C:\Program Files\Bonjour
2008-03-28 17:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-25 18:15 --------- d-----w C:\Program Files\Google
2008-03-21 07:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 07:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 09:55 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-20 09:03 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 08:33 --------- d-----w C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus
2008-03-20 07:57 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-13 17:04 --------- d-----w C:\Program Files\Java
2008-03-13 17:02 --------- d-----w C:\Program Files\Common Files\Java
2008-03-12 17:49 --------- d-----w C:\Program Files\SopCast
2008-03-12 17:29 --------- d-----w C:\Program Files\TVUPlayer
2008-03-12 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-03-12 17:25 --------- d-----w C:\Documents and Settings\Planeta\Application Data\TVU Networks
2008-03-06 10:18 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-05 17:33 --------- d-----w C:\Program Files\Apple Software Update
2008-03-05 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-21 15:42 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-21 15:42 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_20.17.59,82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 06:34:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 05:26:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 05:26:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 19:15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-01-29 00:16 1228800 C:\WINDOWS\mixer.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-23 02:17 73728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 09:20 372736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 17:42 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SMARTPOS;MSSQL$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlservr.exe [2002-12-17 17:26]
S3 SQLAgent$SMARTPOS;SQLAgent$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 11:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-05-02 20:15:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-02 20:16:14
ComboFix-quarantined-files.txt 2008-05-02 18:16:05
ComboFix2.txt 2008-04-30 18:18:23
ComboFix3.txt 2008-03-21 08:04:12

Pre-Run: 8,980,955,136 bytes free
Post-Run: 9,538,887,680 bytes free

127

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

Izvini sto si cekao, ja zaboravio na tebe. Embarassed


Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\nvidia32.exe

Folder::
C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus
C:\Documents and Settings\All Users\Application Data\SalesMon



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 27 Jan 2008
  • Poruke: 35

ComboFix 08-04-29.5 - Planeta 2008-05-07 8:58:51.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.86 [GMT 2:00]
Running from: C:\Documents and Settings\Planeta\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Planeta\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\nvidia32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus
C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus\Logs\threats.log
C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus\Logs\update.log
C:\Documents and Settings\Planeta\Application Data\TrustedAntivirus\PGE.dat
C:\WINDOWS\system32\nvidia32.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 18:09 --------- d-----w C:\Documents and Settings\Planeta\Application Data\OpenOffice.org2
2008-04-05 06:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-02 07:16 --------- d-----w C:\Documents and Settings\Planeta\Application Data\Media Player Classic
2008-03-28 18:51 --------- d-----w C:\Program Files\QuickTime
2008-03-28 17:37 --------- d-----w C:\Program Files\iTunes
2008-03-28 17:37 --------- d-----w C:\Program Files\iPod
2008-03-28 17:37 --------- d-----w C:\Documents and Settings\Planeta\Application Data\Apple Computer
2008-03-28 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-28 17:36 --------- d-----w C:\Program Files\Bonjour
2008-03-28 17:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-25 18:15 --------- d-----w C:\Program Files\Google
2008-03-21 07:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 07:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 09:55 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-20 09:03 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-13 17:04 --------- d-----w C:\Program Files\Java
2008-03-13 17:02 --------- d-----w C:\Program Files\Common Files\Java
2008-03-12 17:49 --------- d-----w C:\Program Files\SopCast
2008-03-12 17:29 --------- d-----w C:\Program Files\TVUPlayer
2008-03-12 17:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-03-12 17:25 --------- d-----w C:\Documents and Settings\Planeta\Application Data\TVU Networks
2008-02-21 15:42 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-21 15:42 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_20.17.59,82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 06:34:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 06:29:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 06:30:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_680.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 19:15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-01-29 00:16 1228800 C:\WINDOWS\mixer.exe]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-23 02:17 73728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 09:20 372736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-21 17:42 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$SMARTPOS;MSSQL$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlservr.exe [2002-12-17 17:26]
S3 SQLAgent$SMARTPOS;SQLAgent$SMARTPOS;C:\Program Files\Microsoft SQL Server\MSSQL$SMARTPOS\Binn\sqlagent.EXE [2002-12-17 17:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 11:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-05-07 09:00:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 9:01:30
ComboFix-quarantined-files.txt 2008-05-07 07:01:25
ComboFix2.txt 2008-05-02 18:16:15
ComboFix3.txt 2008-04-30 18:18:23
ComboFix4.txt 2008-03-21 08:04:12

Pre-Run: 8,972,914,688 bytes free
Post-Run: 9,212,358,656 bytes free

116

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8617
  • Gde živiš: Novi Beograd

offline
  • Pridružio: 27 Jan 2008
  • Poruke: 35

Hvala ti puno...

Ko je trenutno na forumu
 

Ukupno su 861 korisnika na forumu :: 43 registrovanih, 8 sakrivenih i 810 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, aleksmajstor, Apok, bladesu, Cassius Clay, cenejac111, cvrle312, dankisha, Dimitrije Paunovic, DPera, dragoljub11987, drimer, Duh sa sekirom, ekser222, FileFinder, FOX, havoc995, ivan1973, ivica976, Karla, kolle.the.kid, ladro, laurusri, Leonov, lord sir giga, MB120mm, mercedesamg, Mi lao shu, mrvica78, Nikolaa11, PAGZLY, radoznao, raptorsi, ruger357, sap, ser.hill, slonic_tonic, suton, vaso1, VJ, VP6919, zillbg, zixmix