Možda tražite i:
Dosadni trojanac
Rootkit na SD kartici
rootkit pitanje?
Trojanac u mejlu sa subject-om Milosevic

MyCity » Ambulanta -> Arhiva Ambulante » trojanac i rootkit

trojanac i rootkit

Napisano na dan: 6.5.2008

Strana:
1
2
3

trojanac i rootkit

Sledeća strana

Pagination

Odgovori

Strana:
1
2
3

inarak84 Poslao: 06 Maj 2008 18:04 Idi na vrh
offline inarak84 Novi MyCity građanin Pridružio: 06 Maj 2008 Poruke: 12	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Logfile of HijackThis v1.99.1 Scan saved at 17:52:55, on 6.5.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\FlashGet\flashget.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\irina\Desktop\New Folder\program.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici] R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MagUninstall] "C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe" O4 - HKLM\..\Run: [advap32] "C:\Documents and Settings\irina\Desktop\.//..//~tmp1174.exe" /r O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork O8 - Extra context menu item: &Preuzmi sa FlashGet-om - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &Preuzmi sve sa FlashGet-om - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open With GetRight Browser - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} (OSAKitPro.OSAKit) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {935F9B04-0C7B-4454-A391-348C54AD7ADD} (Jolly Bear Games Player) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} (CPlayFirstPetShopHopControl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} (CPlayFirstDreamChronControl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - [Link mogu videti samo ulogovani korisnici] O16 - DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} (CPlayFirstDressShopHControl Object) - [Link mogu videti samo ulogovani korisnici] O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F95E02-3E61-4300-A9B1-AD9BEFAFC92E}: NameServer = 195.222.32.10 195.222.32.20 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O20 - Winlogon Notify: WinNt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe Problemi i gasenje kompjutera su se poceli javljat kod online igranja igrica,do tada nisam imala problema iako sam ih igrala i prije.Koristim avast antivirus i on me stalno upozorava da mi je kompjuter zarazen sa virusima npr. Win32:Agent-WJS(Trj),Win32:Trojan-gen(UPX),Win32:Agent-WJU(Wrm) a ima i dosta Win32:Rootkit-gen(Rtk).Najvise je zarazen system volume information/restore i C:/Windows/System32/drivers.Ne znam dali mi se zbog toga i kompjuter stalno gasi i dobijam poruku na plavom ekranu driver_irql_not_less_or_equal.Na dnu ekrana pise i tcpr.sys-adress F9F82CAF BABE AT F9F82000 DATESTAMP 4807738eb.Zbog stalnih upozorenja o virusima sam iskljucila avast on-acces protection prije scana sa hijack this.Konektujem se preko modema.Mozete li mi pomoci ali sto jednostavnije :-) jer nisam ekspert pa ne zelim jos vise pokvariti kompjuter.Unaprijed hvala

Profil

dr_Bora Poslao: 06 Maj 2008 22:42 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Poz... Privremeno isključi antivirus u toku korišćenja sledećeg programa... Skini ComboFix sa jedne od sledecih adresa na Desktop: [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] [Link mogu videti samo ulogovani korisnici] Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Profil

inarak84 Poslao: 06 Maj 2008 23:44 Idi na vrh
offline inarak84 Novi MyCity građanin Pridružio: 06 Maj 2008 Poruke: 12	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! ComboFix 08-05-01.3 - irina 2008-05-06 23:03:07.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.46 [GMT 2:00] Running from: C:\Downloads\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\irina\~tmp1174.exe C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\system32\_000111_.tmp.dll C:\WINDOWS\system32\WinNt32.dll . ((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 ))))))))))))))))))))))))))))))) . 2008-05-06 23:02 . 2008-05-06 23:02 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG 2008-05-06 21:48 . 2008-05-06 22:19 <DIR> d-------- C:\Program Files\Panda Security 2008-05-06 18:49 . 2008-05-06 18:49 <DIR> d-------- C:\Documents and Settings\irina\Application Data\IEPro 2008-05-06 18:48 . 2008-05-06 18:49 <DIR> d-------- C:\Program Files\IEPro 2008-05-06 16:58 . 2008-05-06 16:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-05 20:44 . 2008-05-05 20:44 <DIR> d-------- C:\Program Files\Common Files\Raxco 2008-05-05 20:15 . 2008-05-05 20:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-05-05 19:49 . 2008-05-05 19:49 <DIR> d-------- C:\Documents and Settings\irina\.housecall6.6 2008-05-04 20:40 . 2008-05-04 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse 2008-05-04 18:57 . 2008-05-06 14:03 6,400 --a------ C:\WINDOWS\system32\drivers\tcpsr.sys 2008-05-02 13:36 . 2008-05-02 13:36 14,976 --a------ C:\WINDOWS\system32\drivers\Qvb61.sys 2008-05-02 13:36 . 2008-05-02 13:36 14,976 --a------ C:\WINDOWS\system32\drivers\Chm62.sys 2008-05-02 13:34 . 2008-05-02 13:34 14,976 --a------ C:\WINDOWS\system32\drivers\Hmr62.sys 2008-05-01 19:44 . 2008-05-06 13:26 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll 2008-05-01 19:44 . 2008-05-06 13:53 192,512 --a------ C:\Documents and Settings\irina\cbOCR.dll 2008-05-01 10:58 . 2008-05-01 10:58 14,976 --a------ C:\WINDOWS\system32\drivers\Cim38.sys 2008-04-28 16:57 . 2008-04-28 16:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo! 2008-04-28 16:56 . 2008-04-29 12:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\IE7Pro 2008-04-13 19:57 . 2005-11-01 09:52 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2008-04-13 19:57 . 2005-11-01 09:52 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2008-04-13 19:57 . 2005-11-01 09:52 5,632 --a------ C:\WINDOWS\system32\kbd103.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-06 21:27 --------- d-----w C:\Documents and Settings\irina\Application Data\OnlineArmor 2008-05-06 21:12 --------- d-----w C:\Program Files\FlashGet 2008-05-06 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games 2008-05-06 16:48 --------- d-----w C:\Program Files\IE7Pro 2008-05-05 18:44 --------- d-----w C:\Program Files\Raxco 2008-04-05 17:12 --------- d-----w C:\Documents and Settings\irina\Application Data\IE7Pro 2007-10-24 16:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll . C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) 578,048 2007-03-08 15:48:36 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\sp2qfe\user32.dll 577,024 2005-11-01 08:53:24 C:\WINDOWS\system32\user32.dll ------- Sigcheck ------- 2005-11-01 10:55 502272 847c91b55752adee4cb76b8252ee5691 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 23:10 68856] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] "igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57 1103480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-24 14:30 185632] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "SoundMan"="SOUNDMAN.EXE" [2005-11-01 10:56 90112 C:\WINDOWS\SOUNDMAN.EXE] "MagUninstall"="C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe" [ ] "advap32"="C:\Documents and Settings\irina\Desktop\.//..//~tmp1174.exe" [ ] "combofix"="C:\WINDOWS\system32\CF12394.exe" [2004-08-04 00:56 388608] "OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-04 02:38 4803136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe] "nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 00:56 99840] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-04 02:38 633344] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "SfcDisable"=dword:ffffff9d [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk40.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agl40.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chm16.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chm62.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cim15.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cim38.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Din04.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp37.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp05.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp51.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp61.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gmq05.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr38.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr62.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ins38.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kpu38.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqv04.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrw62.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nsx40.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oty61.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pua84.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qvb61.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxd61.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tye16.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tye38.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uaf26.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uaf62.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbg84.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdh27.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdi05.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xdi16.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej40.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yej62.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\FlashGet\\flashget.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\IEPro\\MiniDM.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 01:06] R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-03 09:40] R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 01:06] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2007-11-04 02:38] S3 Afk40;Afk40;C:\WINDOWS\System32\drivers\Afk40.sys [] S3 Agl40;Agl40;C:\WINDOWS\System32\drivers\Agl40.sys [] S3 Chm16;Chm16;C:\WINDOWS\System32\drivers\Chm16.sys [] S3 Chm62;Chm62;C:\WINDOWS\System32\drivers\Chm62.sys [2008-05-02 13:36] S3 Cim38;Cim38;C:\WINDOWS\System32\drivers\Cim38.sys [2008-05-01 10:58] S3 Fkp05;Fkp05;C:\WINDOWS\System32\drivers\Fkp05.sys [] S3 Fkp51;Fkp51;C:\WINDOWS\System32\drivers\Fkp51.sys [] S3 Fkp61;Fkp61;C:\WINDOWS\System32\drivers\Fkp61.sys [] S3 Gmq05;Gmq05;C:\WINDOWS\System32\drivers\Gmq05.sys [] S3 Hmr38;Hmr38;C:\WINDOWS\System32\drivers\Hmr38.sys [] S3 Hmr62;Hmr62;C:\WINDOWS\System32\drivers\Hmr62.sys [2008-05-02 13:34] S3 Ins38;Ins38;C:\WINDOWS\System32\drivers\Ins38.sys [] S3 Kpu38;Kpu38;C:\WINDOWS\System32\drivers\Kpu38.sys [] S3 Lrw62;Lrw62;C:\WINDOWS\System32\drivers\Lrw62.sys [] S3 Nsx40;Nsx40;C:\WINDOWS\System32\drivers\Nsx40.sys [] S3 Qvb61;Qvb61;C:\WINDOWS\System32\drivers\Qvb61.sys [2008-05-02 13:36] S3 Sxd61;Sxd61;C:\WINDOWS\System32\drivers\Sxd61.sys [] S3 tcpsr;tcpsr;C:\WINDOWS\System32\drivers\tcpsr.sys [2008-05-06 14:03] S3 Tye16;Tye16;C:\WINDOWS\System32\drivers\Tye16.sys [] S3 Tye38;Tye38;C:\WINDOWS\System32\drivers\Tye38.sys [] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 12:31] S3 Wdh27;Wdh27;C:\WINDOWS\System32\drivers\Wdh27.sys [] S3 Xdi16;Xdi16;C:\WINDOWS\System32\drivers\Xdi16.sys [] S3 Yej62;Yej62;C:\WINDOWS\System32\drivers\Yej62.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c72badf0-b31b-11dc-953a-c3c1670b1a84}] \Shell\AutoOpen\command - F:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe . Contents of the 'Scheduled Tasks' folder "2008-01-23 02:30:01 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job" - C:\Program Files\ErrorSmart\ErrorSmart.ex - C:\Program Files\ErrorSmart "2008-05-05 20:00:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9504676A-6C34-4D3A-B2E5-9943296C7447}.job" - C:\WINDOWS\system32\msfeedssync.exe . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2008-05-06 23:27:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv] "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-05-06 23:32:42 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-06 21:32:27 Pre-Run: 34,692,345,856 bytes free Post-Run: 34,717,974,528 bytes free 238 --- E O F --- 2008-05-06 17:01:35

Profil

dr_Bora Poslao: 07 Maj 2008 17:41 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Privremeno isključi antivirus... Uploaduj sledeće file-ove: C:\WINDOWS\system32\drivers\tcpsr.sys C:\WINDOWS\system32\drivers\Qvb61.sys C:\WINDOWS\system32\cbOCR.dll preko ovog linka: [Link mogu videti samo ulogovani korisnici] Ukoliko upload nekog od navedenih file-ova nije moguć, nastavi sa uploadom ostalih file-ova i ostatkom uputstva. ------------------------------------------------------------------------------------- Preuzmi sledeći file na Desktop: [Link mogu videti samo ulogovani korisnici] Dvoklikom pokreni program a zatim klikni Install. ------------------------------------------------------------------------------------- Otvoriti Notepad i iskopirati sledeci tekst (sve što se nalazi unutar Kod polja): File:: C:\WINDOWS\system32\drivers\tcpsr.sys C:\WINDOWS\system32\drivers\Qvb61.sys C:\WINDOWS\system32\drivers\Chm62.sys C:\WINDOWS\system32\drivers\Hmr62.sys C:\WINDOWS\system32\cbOCR.dll C:\Documents and Settings\irina\cbOCR.dll C:\WINDOWS\system32\drivers\Cim38.sys Driver:: Afk40 Agl40 Chm16 Chm62 Cim38 Fkp05 Fkp51 Fkp61 Gmq05 Hmr38 Hmr62 Ins38 Kpu38 Lrw62 Nsx40 Qvb61 Sxd61 tcpsr Tye16 Tye38 Wdh27 Xdi16 Yej62 Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "advap32"=- "combofix"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "SFCDisable"=dword:00000000 [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Afk40.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Agl40.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chm16.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chm62.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cim15.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cim38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Din04.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekp37.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp05.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp51.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Fkp61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gmq05.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr62.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ins38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kpu38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lqv04.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lrw62.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nsx40.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Oty61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pua84.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qvb61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sxd61.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tye16.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tye38.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uaf26.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uaf62.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Vbg84.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdh27.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdi05.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xdi16.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xej40.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yej62.sys] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c72badf0-b31b-11dc-953a-c3c1670b1a84}] Snimiti na Desktop fajl iz Notepada kao "CFScript" Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici. Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Profil

inarak84 Poslao: 07 Maj 2008 21:56 Idi na vrh
offline inarak84 Novi MyCity građanin Pridružio: 06 Maj 2008 Poruke: 12	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uploadovala sam prva 3 fajla nadam se dobro a evo i novog log fajla poslije skeniranja. ComboFix 08-05-01.3 - irina 2008-05-07 21:19:27.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.77 [GMT 2:00] Running from: C:\Downloads\ComboFix.exe Command switches used :: C:\Documents and Settings\irina\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\Documents and Settings\irina\cbOCR.dll C:\WINDOWS\system32\cbOCR.dll C:\WINDOWS\system32\drivers\Chm62.sys C:\WINDOWS\system32\drivers\Cim38.sys C:\WINDOWS\system32\drivers\Hmr62.sys C:\WINDOWS\system32\drivers\Qvb61.sys C:\WINDOWS\system32\drivers\tcpsr.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\irina\cbOCR.dll C:\WINDOWS\system32\cbOCR.dll C:\WINDOWS\system32\drivers\Chm62.sys C:\WINDOWS\system32\drivers\Cim38.sys C:\WINDOWS\system32\drivers\Hmr62.sys C:\WINDOWS\system32\drivers\Qvb61.sys C:\WINDOWS\system32\drivers\tcpsr.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSX40 -------\Legacy_TCPSR -------\Service_Afk40 -------\Service_Agl40 -------\Service_Chm16 -------\Service_Chm62 -------\Service_Cim38 -------\Service_Fkp05 -------\Service_Fkp51 -------\Service_Fkp61 -------\Service_Gmq05 -------\Service_Hmr38 -------\Service_Hmr62 -------\Service_Ins38 -------\Service_Kpu38 -------\Service_Lrw62 -------\Service_Nsx40 -------\Service_Qvb61 -------\Service_Sxd61 -------\Service_tcpsr -------\Service_Tye16 -------\Service_Tye38 -------\Service_Wdh27 -------\Service_Xdi16 -------\Service_Yej62 ((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 ))))))))))))))))))))))))))))))) . 2008-05-07 21:11 . 2008-04-14 05:42 578,560 --a------ C:\WINDOWS\system32\dllcache\user32.dll 2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\WINDOWS\system32\xircom 2008-05-06 23:36 . 2008-05-07 21:11 <DIR> d--hs---- C:\WINDOWS\system32\dllcache 2008-05-06 23:36 . 2008-05-06 23:36 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-05-06 23:02 . 2008-05-06 23:02 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG 2008-05-06 21:48 . 2008-05-06 22:19 <DIR> d-------- C:\Program Files\Panda Security 2008-05-06 18:49 . 2008-05-07 15:38 <DIR> d-------- C:\Documents and Settings\irina\Application Data\IEPro 2008-05-06 18:48 . 2008-05-06 18:49 <DIR> d-------- C:\Program Files\IEPro 2008-05-06 16:58 . 2008-05-06 16:58 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-05 20:44 . 2008-05-05 20:44 <DIR> d-------- C:\Program Files\Common Files\Raxco 2008-05-05 20:15 . 2008-05-05 20:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-05-05 19:49 . 2008-05-05 19:49 <DIR> d-------- C:\Documents and Settings\irina\.housecall6.6 2008-05-04 20:40 . 2008-05-04 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameHouse 2008-04-28 16:57 . 2008-04-28 16:57 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo! 2008-04-28 16:56 . 2008-04-29 12:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\IE7Pro 2008-04-13 19:57 . 2005-11-01 09:52 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2008-04-13 19:57 . 2005-11-01 09:52 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2008-04-13 19:57 . 2005-11-01 09:52 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2008-04-13 19:57 . 2005-11-01 09:52 5,632 --a------ C:\WINDOWS\system32\kbd103.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-07 19:34 --------- d-----w C:\Documents and Settings\irina\Application Data\OnlineArmor 2008-05-07 19:29 --------- d-----w C:\Program Files\FlashGet 2008-05-06 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games 2008-05-06 16:48 --------- d-----w C:\Program Files\IE7Pro 2008-05-05 18:44 --------- d-----w C:\Program Files\Raxco 2008-04-05 17:12 --------- d-----w C:\Documents and Settings\irina\Application Data\IE7Pro 2007-10-24 16:01 774,144 -c--a-w C:\Program Files\RngInterstitial.dll . C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) 578,048 2007-03-08 15:48:36 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\sp2qfe\user32.dll 577,024 2005-11-01 08:53:24 C:\WINDOWS\system32\user32.dll 578,560 2008-04-14 03:42:10 C:\WINDOWS\system32\dllcache\user32.dll ------- Sigcheck ------- 2005-11-01 10:55 502272 847c91b55752adee4cb76b8252ee5691 C:\WINDOWS\system32\winlogon.exe . ((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-06 21:20:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-07 19:31:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2007-04-25 13:08:36 2,233,944 ----a-w C:\WINDOWS\Downloaded Program Files\msi.1.0.0.8.dll + 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE + 2005-11-01 08:52:56 1,852,928 ----a-w C:\WINDOWS\system32\dllcache\acgenral.dll + 2004-08-03 22:56:42 450,048 ----a-w C:\WINDOWS\system32\dllcache\aclayers.dll + 2004-08-03 22:56:42 244,736 ----a-w C:\WINDOWS\system32\dllcache\acspecfc.dll + 2004-08-03 22:56:42 116,224 ----a-w C:\WINDOWS\system32\dllcache\acxtrnal.dll + 2004-08-03 22:56:48 98,304 ----a-w C:\WINDOWS\system32\dllcache\ahui.exe + 2004-08-03 22:56:42 126,976 ----a-w C:\WINDOWS\system32\dllcache\apphelp.dll + 2008-05-07 19:32:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_628.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-26 23:10 68856] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ] "igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 23:57 1103480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-24 14:30 185632] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "SoundMan"="SOUNDMAN.EXE" [2005-11-01 10:56 90112 C:\WINDOWS\SOUNDMAN.EXE] "MagUninstall"="C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe" [ ] "combofix"="C:\WINDOWS\system32\CF12427.exe" [2004-08-04 00:56 388608] "OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-04 02:38 4803136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nlsf"="cmd.exe" [2004-08-04 00:56 388608 C:\WINDOWS\system32\cmd.exe] "nlhr"="C:\WINDOWS\System32\AdvPack.Dll" [2004-08-04 00:56 99840] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-04 02:38 633344] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\FlashGet\\flashget.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\IEPro\\MiniDM.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31] R1 NDISRD;NDISRD;C:\WINDOWS\system32\drivers\NDISRD.sys [2007-09-29 01:06] R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2007-11-03 09:40] R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2007-09-29 01:06] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2007-11-04 02:38] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\Windows Live\Messenger\usnsvc.exe" [2007-10-18 12:31] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c72badf0-b31b-11dc-953a-c3c1670b1a84}] \Shell\AutoOpen\command - F:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe . Contents of the 'Scheduled Tasks' folder "2008-01-23 02:30:01 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job" - C:\Program Files\ErrorSmart\ErrorSmart.ex - C:\Program Files\ErrorSmart "2008-05-07 13:27:09 C:\WINDOWS\Tasks\User_Feed_Synchronization-{9504676A-6C34-4D3A-B2E5-9943296C7447}.job" - C:\WINDOWS\system32\msfeedssync.exe . ************************************************************************ catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici] Rootkit scan 2008-05-07 21:34:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv] "ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-05-07 21:40:51 - machine was rebooted [irina] ComboFix-quarantined-files.txt 2008-05-07 19:40:37 ComboFix2.txt 2008-05-06 21:32:49 Pre-Run: 34,611,580,928 bytes free Post-Run: 34,570,153,984 bytes free 201 --- E O F --- 2008-05-07 14:53:03

Profil

dr_Bora Poslao: 07 Maj 2008 22:53 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Uloguj se preko Facebooka da bi skinuo fajl: Sve je odrađeno kako treba... No, nismo još gotovi. Skini sledeći file na Desktop: [Link mogu videti samo ulogovani korisnici] Pokreni ga dvoklikom... Pritisni bilo koji taster da bi se prozor zatvorio. ------------------------------------------------------------------------------------- Otvori sledeću stranicu: [Link mogu videti samo ulogovani korisnici] Klikni Download i sačuvaj taj file na Desktop. Prevuci download-ovani file na ikonicu ComboFix-a kao na slici: Isprati postupak instalacije do kraja (klikći Next, OK i slično...). Pojaviće se obaveštenje da je Recovery Console uspešno instalirana i biće ti postavljeno pitanje želiš li nastaviti proces skeniranja - klikni Yes. Po završetku procesa, iskopiraj ovde logfile koji će ComboFix da napravi.

Profil

inarak84 Poslao: 07 Maj 2008 23:01 Idi na vrh
offline inarak84 Novi MyCity građanin Pridružio: 06 Maj 2008 Poruke: 12	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Kad se skida ovaj prvi file otvori se ekran minidm i imam opciju sa strane open i clear a pri dnu new task ,clear all,options i close.Sta da kliknem od ovoga da se moze spasit na desktop?

Profil

dr_Bora Poslao: 07 Maj 2008 23:03 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Klikni desnim tasterom na link i izaberi opciju Save as (Save target as ili neku sličnu).

Profil

inarak84 Poslao: 07 Maj 2008 23:40 Idi na vrh
offline inarak84 Novi MyCity građanin Pridružio: 06 Maj 2008 Poruke: 12	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! Skidam drugi fajl a ovaj prvi se samo otvori u onom prozoru koji sam opisala i kada sam kliknula na open dobijem poruku da ne moze nac neki fajl u system32 Dopuna: 07 Maj 2008 23:40 prvi fajl sam ipak skinula na desktop a nisam mogla do kraja zavrsiti skeniranje sa combo fixom i poslat log file.Prevukla sam download u combofix po uputstvu i usred skeniranja sam opet dobila plavi ekran sa porukom koju sam upisala u prvom postu driver irql not less or equal i morala sam restartovat kompjuter.Ponovila sam postupak sa combofixom i dobila poruku da je recovery console vec instaliran i da ce se prekinut operacija.

Profil

dr_Bora Poslao: 08 Maj 2008 17:24 Idi na vrh
offline dr_Bora Anti Malware Fighter Rank 2 Pridružio: 24 Jul 2007 Poruke: 12280 Gde živiš: Höganäs, SE	0Niko još nije pohvalio poruku. Registruj se da bi pohvalio/la poruku! OK. Ponovo pokreni ComboFix (samo dvoklik na file, ništa više) i postavi novi log.

Profil

MyCity » Ambulanta -> Arhiva Ambulante » trojanac i rootkit

Ko je trenutno na forumu

Ukupno su 1381 korisnika na forumu :: 68 registrovanih, 8 sakrivenih i 1305 gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:: Korisnici trenutno na forumu: A.R.Chafee.Jr., arsa, Asteker, Atomski čoban, babaroga, Ben Roj, brufen, cakija, Chainsaw, cvrle312, darkkran, Dekanovic, Demi87, dj.ape, Doca, dushan, Dzoni2412, elenemste, esx66, Georgius, GrobarPovratak, ibssa, In_hero, InzenjerBL, jalos, Jeremiah, Jester, jon istvan, Kajzer Soze, kalens021, Kamov, kaskadija, Kubovac, ladro, laurusri, Leteća Krofna, M74AB3, Magistar78, Manjane, MarkoW, Miha79, mikrimaus, MiroslavD, Mićko, mocnijogurt, N.e.m.a.nj.a., nisamBot, Orc, ozzy, paladin71, pceklic, peradetlić, Peruta, Podljub, precan, rodoljub, Sone1983, styg, tamno.nebo, tmanda323, Vanderx, vathra, Vatreni Zmaj, Velizar Laro, Volkhov-M, vuksa72, xAlex2, zeka013

Svaki korisnik ovog sajta je odgovoran za sadržaj svoje poruke koju objavi na sajtu. Sajt se odriče svake odgovornosti za sadržaj tih poruka.
Postavljanjem vaše poruke ili vašeg autorskog dela na ovaj sajt, saglasni ste da ovaj sajt postaje distributer vašeg dela, i odričete se mogućnosti njegovog povlačenja ili brisanja, bez saglasnosti uprave sajta.
Distribucija sadržaja sa ovog sajta je dozvoljena samo u nekomercijalne svrhe, uz obaveznu napomenu da je sadržaj preuzet sa ovog sajta, i uz obavezno navođenje adrese MyCity sajta. Za sve ostale vidove distribucije obavezni ste da prethodno zatražite odobrenje od vlasnika MyCity sajta.
MyCity pokrenuo, administrira i razvija Predrag Damnjanović, a o uređenju sajta se brine MyCity Tim.
Ukoliko želite da nas kontaktirate kliknite ovde.
Naši sajtovi:
Vesti, Vojni forum, Zaštita od virusa, TekstPesme.rs

This content is licensed under a Creative Commons License.
Based on phpBB 2, translated by Simke, designed by