Kryptik.JX trojan

1

Kryptik.JX trojan

offline
  • Pridružio: 20 Dec 2004
  • Poruke: 2887
  • Gde živiš: Na Balkanu

NOD32 mi je večeras pronašao Kryptik.JX trojan
AV je prijavio da su tri fajla bila inficirana i da ih je skonio u karantin. Resetovao sam računar i ponovo skenirao system32 folder. Ovaj put 8 fajlova je bilo inficirano.

Još jednom sam resetovao računar i skenirao dati folder i memoriju. Ovog puta N32 nije ništa pronašao. Napominjem da sam skenirao samo dati folder, a sutra ću skenirati celog sistema, jer sad je sad kasno.

Mislim da je AV završio posao, ali bih volio mišljenje nekog iskusnijeg

Citat:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:30 AM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
C:\Documents and Settings\Miljan\Desktop\tr3\tr3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V.....5192969437
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10435 bytes

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

* Pokreni ESET Smart Security/ESET NOD32 na sledeci nacin :
Start>All Programs>ESET>ESET Smart Security ili pak ESET NOD32 Antivirus(ukoliko koristis samo Antivirus resenje).

* Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
* Izaberi Antivirus and antispyware opciju i klikni na Temporarily disable Antivirus and antispyware protection.
* Na sledece pitanje klikni Yes.

Napomena: Ne zaboravi da ukljuciš ovu opciju po završetku cišcenja.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 20 Dec 2004
  • Poruke: 2887
  • Gde živiš: Na Balkanu

ComboFix 09-03-06.02 - Miljan 2009-03-09 8:28:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1334 [GMT -5:00]
Running from: c:\documents and settings\Miljan\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\MabryObj.dll
c:\windows\system32\nett12.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-08 22:18 . 2009-03-08 22:19 <DIR> d-------- c:\program files\Transcender
2009-03-08 22:18 . 2007-11-15 19:11 2,155,096 --a------ c:\windows\system32\QDMEAXRT.ocx
2009-03-07 09:21 . 2009-03-07 09:21 <DIR> d-------- c:\program files\Common Files\Macromedia
2009-03-07 09:20 . 2009-03-07 09:20 <DIR> d-------- c:\program files\Macromedia
2009-03-04 21:38 . 2009-03-04 21:38 <DIR> d-------- c:\program files\TechSmith
2009-03-04 21:38 . 2009-03-04 21:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\TechSmith
2009-03-04 21:37 . 2009-03-04 21:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-04 21:09 . 2009-03-04 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe
2009-03-01 21:50 . 2009-03-01 21:50 <DIR> d-------- c:\program files\Microsoft Visual Studio .NET
2009-03-01 21:49 . 2009-03-01 21:50 <DIR> d-------- C:\oraclexe
2009-03-01 01:29 . 2009-03-07 09:25 182 --a------ c:\windows\wcx_ftp.ini
2009-03-01 01:27 . 2009-03-01 01:28 <DIR> d-------- C:\totalcmd
2009-03-01 01:27 . 2009-03-07 09:25 1,594 --a------ c:\windows\wincmd.ini
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\UC.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\RAR.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\PKZIP.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\LHA.PIF
2009-03-01 01:27 . 2008-08-08 08:04 545 --a------ c:\windows\ARJ.PIF
2009-02-28 21:41 . 2009-02-28 21:41 <DIR> dr------- c:\documents and settings\Miljan\Application Data\Brother
2009-02-28 21:41 . 2009-03-05 15:29 426 --a------ c:\windows\BRWMARK.INI
2009-02-28 21:41 . 2009-02-28 21:41 34 --a------ c:\windows\system32\BD5250DN.DAT
2009-02-27 23:19 . 2009-02-27 23:49 <DIR> d-------- c:\documents and settings\Miljan\dwhelper
2009-02-27 21:07 . 2009-02-27 21:07 <DIR> d-------- c:\windows\Sun
2009-02-24 13:03 . 2009-02-24 13:03 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-24 07:36 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-24 07:36 . 2008-10-16 15:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-24 07:36 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-23 15:45 . 2009-03-08 18:49 488 --a------ C:\hpfr5550.xml
2009-02-23 15:44 . 2009-02-23 15:44 <DIR> d-------- c:\documents and settings\Miljan\Application Data\Hewlett-Packard
2009-02-23 15:41 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-23 15:41 . 2008-04-13 13:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-02-23 15:40 . 2009-02-23 15:40 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-02-23 15:40 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-23 15:40 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-23 15:39 . 2009-02-23 15:39 <DIR> d-------- c:\program files\Hewlett-Packard
2009-02-23 15:38 . 2009-02-23 15:38 <DIR> d-------- c:\temp\HP All-in-One Series Web Release
2009-02-23 15:38 . 2009-02-23 15:38 <DIR> d-------- C:\temp
2009-02-23 15:38 . 2009-02-23 15:42 19,558 --a------ c:\windows\hpoins01.dat
2009-02-23 15:38 . 2003-04-22 11:24 16,606 --------- c:\windows\hpomdl01.dat
2009-02-23 14:50 . 2009-02-23 14:50 <DIR> d-------- c:\documents and settings\Miljan\Application Data\OpenOffice.org
2009-02-23 14:14 . 2009-02-23 14:14 <DIR> d-------- c:\program files\iTunes
2009-02-23 14:14 . 2009-02-23 14:14 <DIR> d-------- c:\program files\iPod
2009-02-23 14:14 . 2009-02-23 14:14 <DIR> d-------- c:\program files\Bonjour
2009-02-23 14:14 . 2009-02-23 14:41 <DIR> d-------- c:\documents and settings\Miljan\Application Data\Apple Computer
2009-02-23 14:14 . 2009-02-23 14:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-23 14:13 . 2009-02-23 14:13 <DIR> d-------- c:\program files\QuickTime
2009-02-23 14:13 . 2009-02-23 14:14 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-23 14:13 . 2009-02-23 14:13 <DIR> d-------- c:\program files\Apple Software Update
2009-02-23 14:13 . 2009-02-23 14:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-23 14:13 . 2009-02-23 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-23 13:33 . 2009-02-23 13:33 <DIR> d-------- c:\program files\FLV Player
2009-02-23 13:28 . 2009-02-23 13:28 <DIR> d-------- c:\documents and settings\Miljan\Application Data\DivX
2009-02-23 13:27 . 2009-02-23 13:28 <DIR> d-------- c:\program files\DivX
2009-02-23 12:42 . 2009-03-08 19:59 2,984,152 --a------ C:\bar.emf
2009-02-23 12:02 . 2009-02-23 12:02 162 --a------ c:\windows\ODBC.INI
2009-02-23 11:34 . 2009-02-23 12:04 <DIR> d-------- c:\documents and settings\Miljan\Application Data\GetRightToGo
2009-02-23 11:31 . 2009-02-23 11:31 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-22 14:06 . 2009-03-08 23:02 69 --a------ c:\windows\NeroDigital.ini
2009-02-22 14:05 . 2009-03-07 11:45 <DIR> d-------- c:\documents and settings\Miljan\Application Data\U3
2009-02-21 21:16 . 2009-02-21 21:16 <DIR> d-------- c:\program files\FileZilla FTP Client
2009-02-21 21:16 . 2009-02-27 16:31 <DIR> d-------- c:\documents and settings\Miljan\Application Data\FileZilla
2009-02-21 21:13 . 2009-02-21 21:04 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-21 21:10 . 2009-02-21 21:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-21 21:10 . 2009-02-21 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 21:05 . 2009-02-21 21:04 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-21 21:03 . 2009-02-21 21:03 <DIR> d-------- c:\program files\Lavasoft
2009-02-21 21:03 . 2009-02-21 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-21 21:03 . 2009-02-21 21:03 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-21 21:00 . 2009-02-21 21:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-21 20:56 . 2009-02-21 20:56 <DIR> d-------- c:\documents and settings\Miljan\.tuxguitar-1.0
2009-02-21 20:55 . 2009-02-21 20:56 <DIR> d-------- c:\program files\tuxguitar-1.0
2009-02-21 20:47 . 2009-02-21 20:47 <DIR> d-------- c:\program files\Common Files\LightScribe
2009-02-21 20:46 . 2009-03-04 21:09 <DIR> d-------- c:\documents and settings\Miljan\Application Data\Ahead
2009-02-21 20:46 . 2009-02-21 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ahead
2009-02-21 20:42 . 2009-02-21 20:42 <DIR> d-------- c:\program files\Nero
2009-02-21 20:42 . 2009-02-21 20:46 <DIR> d-------- c:\program files\Common Files\Ahead
2009-02-21 20:42 . 2009-02-21 20:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-02-21 20:25 . 2009-02-21 20:25 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-21 15:05 . 2009-02-21 15:05 <DIR> d-------- c:\program files\NewTech Infosystems
2009-02-21 15:05 . 2007-12-06 09:06 24,147,994 --a------ C:\Shadow for PC.exe
2009-02-21 15:05 . 2000-08-02 21:50 1,056,768 --a------ c:\windows\system32\roboex32.dll
2009-02-21 14:52 . 2009-02-21 14:52 <DIR> d-------- c:\program files\OpenOffice.org 3
2009-02-21 14:52 . 2009-02-21 14:52 <DIR> d-------- c:\program files\JRE
2009-02-21 08:42 . 2009-02-21 08:44 <DIR> d-------- c:\documents and settings\Miljan\Application Data\Dev-Cpp
2009-02-21 08:42 . 2009-02-21 08:42 <DIR> d-------- C:\Dev-Cpp
2009-02-21 08:19 . 2008-04-13 19:11 21,504 --a------ c:\windows\system32\hidserv.dll
2009-02-21 08:19 . 2008-04-13 19:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-02-21 08:18 . 2008-04-13 13:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-02-21 08:18 . 2008-04-13 13:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-02-21 08:18 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-21 08:18 . 2001-08-17 14:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-02-21 08:18 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-02-21 08:18 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-02-21 01:22 . 2009-02-21 01:22 <DIR> d-------- c:\program files\Notepad++
2009-02-21 01:22 . 2009-02-21 01:22 <DIR> d-------- c:\documents and settings\Miljan\Application Data\Notepad++
2009-02-21 01:19 . 2009-02-21 01:19 <DIR> d-------- c:\program files\ESET
2009-02-21 01:19 . 2009-02-21 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-02-21 01:12 . 2009-02-21 01:12 16 --a------ c:\windows\system32\coh.cache
2009-02-21 01:04 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-21 01:02 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-21 01:02 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-21 01:02 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-21 01:02 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-21 01:02 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-21 01:01 . 2009-02-21 01:01 0 --a------ c:\windows\nsreg.dat
2009-02-21 00:59 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-21 00:59 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-02-21 00:58 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-21 00:58 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-21 00:58 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-21 00:57 . 2008-12-20 18:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-02-21 00:57 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-21 00:57 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-21 00:57 . 2008-12-20 18:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-02-21 00:57 . 2008-12-20 18:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-21 00:57 . 2008-12-20 18:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-02-21 00:57 . 2008-12-20 18:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-02-21 00:57 . 2008-12-20 18:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-21 00:57 . 2008-12-19 04:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-02-21 00:56 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-02-21 00:56 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-21 00:56 . 2008-10-03 05:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-02-21 00:53 . 2009-02-21 00:53 4,212 --ah----- c:\windows\system32\zllictbl.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 14:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-02 02:50 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-02 02:48 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-22 01:52 --------- d-----w c:\program files\Google
2009-02-21 19:52 --------- d-----w c:\program files\Java
2009-02-21 06:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-21 05:42 --------- d-----w c:\program files\TOSHIBA
2009-02-21 05:35 21,361 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-02-21 05:35 21,361 ----a-w c:\windows\AegisP.sys
2009-02-21 05:35 --------- d-----w c:\program files\Intel
2009-02-21 05:29 315,392 ----a-w c:\windows\HideWin.exe
2009-02-21 05:29 --------- d-----w c:\program files\Realtek
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-03-07 03:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-13 311296]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-24 1451264]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-21 509784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"TFncKy"="TFncKy.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 c:\windows\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2007-10-08 c:\windows\system32\TPSMain.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-21 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-24 468224]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2006-02-02 204800]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-03-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-02-19 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-03-06 5888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-21 21:04]

2009-02-23 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1235421750.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 18:56]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Miljan\Application Data\Mozilla\Firefox\Profiles\vmpwepcz.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 08:29:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\netprovcredman.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-03-09 8:30:22
ComboFix-quarantined-files.txt 2009-03-09 13:30:20

Pre-Run: 120,034,508,800 bytes free
Post-Run: 120,123,183,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

270 --- E O F --- 2009-02-25 18:32:54

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Mozes li da mi uploadujes folder c:\qoobox\quarantine ?
Sporno mi je ovo sto je ComboFix obrisao, pa bih zeleo da vidim o cemu se radi.

Spakuj taj folder u jedan ZIP i upload uradi preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

Dopuna: 09 Mar 2009 14:59

Takodje, treba mi i sledeci fajl na proveru:
c:\windows\system32\netprovcredman.dll

Uploaduj i njega, molim te.

Dopuna: 09 Mar 2009 15:02

Balkanac, pogledaj sledece:
http://www.thepatri0t.net/2009/03/09/nod32-false-alarm-win32-kryptik-jx/

Izgleda da su iz Eseta pustili lose signature i da je NOD ljudima obrisao sistemske fajlove zbog ovih losih signatura.

offline
  • Pridružio: 20 Dec 2004
  • Poruke: 2887
  • Gde živiš: Na Balkanu

Uploadovao sam to što si rekao.

Pogledao sam i link.
Imao sam isti update - 3918
Ali mi je fix bio 1091, a to je valjda rešeno sa 1092. U svakom slučaju sad sam uradio update.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pogledao sam fajlove, nista sporno.
Onaj jedan MabryObj.dll je neki toolbar ili BHO za IE. Vidim da ga ni jedan antivirus ne obelezava kao malicioznog, ali sam procitao na drugim sajtovima da to ipak jeste maliciozan.

Javlja li ti NOD jos uvek nesto?

offline
  • Pridružio: 20 Dec 2004
  • Poruke: 2887
  • Gde živiš: Na Balkanu

NOD nije ništa registrovao od sinoć kad je pronašao tog "trojanca".

Da li da vratim fajlove iz karantina i probam ponovo da skeniram?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Mozes li da izvuces log fajl, da vidim sta je to brisao?

Imas li opciju da proskenira fajlove iz karantina (neki AV programi imaju)?

offline
  • Pridružio: 20 Dec 2004
  • Poruke: 2887
  • Gde živiš: Na Balkanu

https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

Isti fajl, različit format.

Ne mogu skenirati fajlove unutar karantina.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Obrisao ti je dva sistemska fajla i par temp fajlova.
Ja bih to vratio iz karantina i proskenirao ponovo.

Ko je trenutno na forumu
 

Ukupno su 1034 korisnika na forumu :: 94 registrovanih, 13 sakrivenih i 927 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., acatomic, ajo baba, AK - 230, aleksandarbl, alkatraz080, Apok, aramis s, awathorn, b_z_b, babaroga, Ben Roj, Bobrock1, BSD, Bubimir, cavatina, cemix, cenejac111, crnogorac, cvrle312, darkojbn, Denaya, doklevise, DPera, Dusan Medojevic, Džordžino, esx66, Fog of War, francis begbie, Frunze, Georgius, girici2, goflja76, goran.vvv, GreenMan, helen1, hyla, I AM THE KING, ikan, invictuss, Istman, Ivica1102, kaptain, kobaja77, konstruktor, krlebgd77, Krusarac, kybonacci, ljuba, Lubica, maiden6657, Marko Marković, MB120mm, mb1213, Mercury, mgolub, MiG-29M2, Miki01, miodrag, moldway, mrvica78, neko_drugi, Nemanja.M, nemkea71, nenad_l, Pikachu123, Planinar, Recce, RJ, RobinHood12, Rocker, rodoljub, royst33, ruma, sakota79, sickmouse, srbijaiznadsvega, Srle993, strn, styg, Toni, trikomso, VJ, Vlada1389, Vlajman1957, Voja1978, voja64, vranjanac29, Webb, Yonesky, yrraf, Zimbabwe, zlatkoa987, Žukov