Log file

1

Log file

offline
  • BCC 
  • Novi MyCity građanin
  • Pridružio: 04 Feb 2008
  • Poruke: 11

Logfile of HijackThis v1.99.1
Scan saved at 2:58:01 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Biljanko\Desktop\novi folder\Tri.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = g.msn.com/1me10enus/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = g.msn.com/1me10enus/2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = g.msn.com/1me10enus/2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = pac.onspeed.com/pac/?id=08410bbf0638b7a47a2a326097b4b4f4
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {465BABC8-E944-4239-ABA4-B9BB24C99823} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {cd639631-a893-727a-6d24-c5d720773995} - {59937702-7d5c-42d6-a727-398a136936dc} - C:\WINDOWS\system32\qblsvshu.dll (file missing)
O2 - BHO: (no name) - {74B21226-67B5-4E4C-A4EF-5AD6485C66C7} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\rqrrqqo.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9F1211FA-5403-4A38-8DC0-A29E8034ACEE} - C:\WINDOWS\system32\awvvu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C0D3FB0A-62AD-432B-880C-2667B0027CFB} - C:\WINDOWS\system32\ssttt.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TNodUPfinder] C:\prevodi\January 2008\TNOD-U&P.exe
O4 - HKLM\..\Run: [30b4ac3b] rundll32.exe "C:\WINDOWS\system32\ptcgidtt.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: bctcpevy - C:\WINDOWS\
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: rqrrqqo - rqrrqqo.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Spybot je otkrio win32.Tiny.abk za koji kaže da je trojanac.
Kaspersky je otkrio Status:riskware Mass mailer software (Object: C:\Windows\system32\services.exe)
Takođe mi se na startu pojavi poruka da mi nedostaje neki file i kad pritisnem OK onda mi se pojavi obaveštenje ono o NT Authority system services.exe sa status codeom 1073741819 i onda posle minut restartuje kompjuter.

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • BCC 
  • Novi MyCity građanin
  • Pridružio: 04 Feb 2008
  • Poruke: 11

ComboFix 08-02.03.1 - Biljanko 2008-02-04 15:09:40.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1744 [GMT 1:00]
Running from: C:\Documents and Settings\Biljanko\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\bctcpevy.dllbox
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\ttdigctp.ini
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSUPDATE
-------\msupdate


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 15:29 . 2008-02-03 15:39 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-03 15:29 . 2008-02-03 15:29 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-03 15:28 . 2008-02-03 15:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-03 15:28 . 2008-02-04 06:20 6,397,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-03 15:28 . 2008-02-04 06:20 86,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-03 15:28 . 2008-02-04 15:14 7,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-03 15:28 . 2008-02-04 06:20 1,652 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-03 15:07 . 2008-02-03 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-03 15:05 . 2008-02-03 15:05 <DIR> d-------- C:\kav
2008-02-01 03:20 . 2008-02-01 03:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-01 03:20 . 2008-02-04 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-31 20:48 . 2008-01-31 20:50 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-31 17:17 . 2008-01-31 17:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-01-31 17:17 . 2008-01-31 17:17 3,455 --a------ C:\WINDOWS\unins000.dat
2008-01-31 17:08 . 2008-01-31 17:08 70,129 --------- C:\AVG7QT.DAT
2008-01-31 16:57 . 2008-01-31 16:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-31 16:57 . 2008-02-03 14:52 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\AVG7
2008-01-31 16:56 . 2008-02-03 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-31 15:57 . 2008-01-31 15:57 109,248 --a------ C:\WINDOWS\system32\MSWINSCN.OCX
2008-01-31 15:39 . 2008-01-31 15:39 <DIR> d-------- C:\WINDOWS\Web Download
2008-01-31 06:58 . 2008-01-31 06:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 06:58 . 2008-02-04 04:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 06:38 . 2008-01-31 06:38 <DIR> d-------- C:\Program Files\CCleaner
2008-01-31 04:43 . 2008-02-03 12:04 329 --a------ C:\WINDOWS\wininit.ini
2008-01-31 03:37 . 2008-01-31 03:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-31 03:03 . 2008-01-31 03:03 54,764 --a------ C:\WINDOWS\system32\btstack.ibs
2008-01-31 03:03 . 2008-01-31 03:03 2 --a------ C:\817147028
2008-01-25 00:08 . 2008-01-25 00:32 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Ableton
2008-01-25 00:08 . 2008-01-25 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ableton
2008-01-25 00:07 . 2006-09-27 20:21 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-01-25 00:06 . 2008-01-25 00:32 <DIR> d-------- C:\Program Files\Ableton
2008-01-24 23:50 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-24 23:50 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d-------- C:\WINDOWS\system32\INF
2008-01-24 23:47 . 2005-06-14 13:44 85,504 --a------ C:\WINDOWS\system32\ma_cmidn.dll
2008-01-24 23:47 . 2005-06-14 13:44 21,888 --a------ C:\WINDOWS\system32\drivers\ma_cmidi.sys
2008-01-24 23:47 . 2005-06-14 13:44 17,920 --a------ C:\WINDOWS\system32\MA_CMIDI.DLL
2008-01-24 23:47 . 2005-06-14 13:44 14,176 --a------ C:\WINDOWS\system32\MA_CMIDI.DRV
2008-01-24 23:47 . 2005-06-14 13:44 7,282 --a------ C:\WINDOWS\system32\MA_CMIDI.VXD
2008-01-24 23:46 . 2008-01-24 23:47 <DIR> d-------- C:\Program Files\M-Audio MA_CMIDI
2008-01-21 04:28 . 2008-01-21 04:28 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-16 15:56 . 2008-01-22 01:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-16 15:49 . 2008-01-16 15:58 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Ahead
2008-01-16 15:48 . 2008-01-16 15:48 <DIR> d-------- C:\Program Files\Nero
2008-01-16 15:48 . 2008-01-16 15:49 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-14 03:34 . 2008-01-14 03:34 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Uniblue
2008-01-13 16:13 . 2008-01-13 16:13 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\ATI
2008-01-13 04:03 . 2008-01-13 04:03 <DIR> d-------- C:\Documents and Settings\Biljanko\WINDOWS
2008-01-13 03:58 . 2008-01-13 16:09 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\SlipStream
2008-01-13 03:52 . 2008-02-01 05:07 <DIR> d-------- C:\torrent
2008-01-12 18:44 . 2008-01-13 03:18 <DIR> d-------- C:\Incomplete
2008-01-12 18:41 . 2008-01-13 02:52 <DIR> d-------- C:\LimeWire fileovi
2008-01-12 18:40 . 2008-01-12 18:40 <DIR> d-------- C:\Program Files\LimeWire
2008-01-12 18:40 . 2008-01-13 02:52 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 05:18 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\MailWasherPro
2008-02-01 14:54 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\uTorrent
2008-01-31 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 19:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-31 02:19 --------- d-----w C:\Program Files\uTorrent
2008-01-24 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 23:06 196,582 ----a-w C:\WINDOWS\system32\drivers\aStandard.bin
2007-12-26 02:07 --------- d-----w C:\Program Files\Stamina
2007-12-20 17:17 --------- d-----w C:\Program Files\XnView
2007-12-20 17:10 --------- d-----w C:\Program Files\AC3Filter
2007-12-20 17:03 --------- d-----w C:\Program Files\QuickTime Alternative
2007-12-20 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-20 17:02 --------- d-----w C:\Program Files\Real Alternative
2007-12-20 16:56 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-19 06:45 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-18 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Samsung
2007-12-18 21:22 --------- d-----w C:\Program Files\Samsung
2007-12-18 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2007-12-18 02:29 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\GRETECH
2007-12-18 02:28 --------- d-----w C:\Program Files\GRETECH
2007-12-18 00:45 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Media Player Classic
2007-12-17 23:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 18:55 --------- d-----w C:\Program Files\Mv2Player
2007-12-17 02:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-17 02:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-17 00:28 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Corel
2007-12-17 00:12 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-17 00:06 --------- d-----w C:\Program Files\Corel
2007-12-16 23:42 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 02:17 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-16 02:16 --------- d-----w C:\Program Files\Java
2007-12-16 02:16 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\SystemRequirementsLab
2007-12-16 02:13 --------- d-----w C:\Program Files\Common Files\Java
2007-12-16 01:33 --------- d-----w C:\Program Files\HP
2007-12-16 01:14 --------- d-----w C:\Program Files\Common Files\HP
2007-12-16 01:12 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-16 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-16 00:40 --------- d-----w C:\Program Files\WinPcap
2007-12-15 23:02 --------- d-----w C:\Program Files\Webteh
2007-12-15 21:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-15 16:16 --------- d-----w C:\Program Files\Free Internet Window Washer
2007-12-15 15:33 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-15 15:21 --------- d-----w C:\Program Files\CD to MP3 Freeware
2007-12-15 13:58 --------- d-----w C:\Program Files\MailWasher
2007-12-15 01:18 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-14 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-14 21:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-14 21:57 --------- d-----w C:\Program Files\Windows Live
2007-12-14 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-14 21:28 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Talkback
2007-12-14 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 18:18 --------- d-----w C:\Program Files\Bonjour
2007-12-14 18:17 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 18:13 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-14 17:46 --------- d-----w C:\Program Files\Native Instruments
2007-12-14 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-13 17:29 --------- d-----w C:\Program Files\IK Multimedia
2007-12-13 17:20 --------- d-----w C:\Program Files\TCWorks
2007-12-13 17:09 --------- d-----w C:\Program Files\Antares Audio Technologies
2007-12-13 17:09 --------- d-----w C:\Program Files\Antares
2007-12-13 17:08 --------- d-----w C:\Program Files\Waves
2007-12-13 17:05 --------- d-----w C:\Program Files\Superwave
2007-12-13 16:56 --------- d-----w C:\Program Files\KORG
2007-12-13 16:56 --------- d-----w C:\Program Files\Common Files\KORG
2007-12-13 16:55 --------- d-----w C:\Program Files\Edirol
2007-12-13 16:54 --------- d-----w C:\Program Files\Way Out Ware
2007-12-13 16:54 --------- d-----w C:\Program Files\Arturia
2007-12-13 16:48 --------- d-----w C:\Program Files\Garritan Personal Orchestra
2007-12-13 15:47 --------- d-----w C:\Program Files\East West
2007-12-13 15:14 --------- d-----w C:\Program Files\Spectrasonics
2007-12-13 12:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-13 12:28 --------- d-----w C:\Program Files\Toontrack
2007-12-13 12:15 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-12-13 11:32 --------- d-----w C:\Program Files\Zero-G
2007-12-13 10:32 --------- d-----w C:\Program Files\Zards software
2007-12-13 09:57 --------- d-----w C:\Program Files\XLN Audio
2007-12-13 09:57 --------- d-----w C:\Program Files\Steinberg
2007-12-13 08:48 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Steinberg
2007-12-13 08:44 --------- d-----w C:\Program Files\Syncrosoft
2007-12-13 06:50 --------- d-----w C:\Program Files\M-Audio
2007-12-12 23:08 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Nero
2007-12-12 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-12 23:06 --------- d-----w C:\Program Files\Sony Setup
2007-12-12 23:05 --------- d-----w C:\Program Files\OO Software
2007-12-12 22:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-12 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-12 22:06 --------- d-----w C:\Program Files\My Company Name
2007-12-12 22:06 --------- d-----w C:\Program Files\ASUS
2007-12-12 22:04 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 22:01 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-12-12 21:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 21:49 --------- d-----w C:\Program Files\Realtek
2007-12-12 21:48 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-12 21:47 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-12 21:45 --------- d-----w C:\Program Files\Intel
2007-12-12 21:33 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{465BABC8-E944-4239-ABA4-B9BB24C99823}]
C:\WINDOWS\system32\ddccc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59937702-7d5c-42d6-a727-398a136936dc}]
C:\WINDOWS\system32\qblsvshu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B21226-67B5-4E4C-A4EF-5AD6485C66C7}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F1211FA-5403-4A38-8DC0-A29E8034ACEE}]
C:\WINDOWS\system32\awvvu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0D3FB0A-62AD-432B-880C-2667B0027CFB}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28 139264]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 10:03 380928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\delttray.exe]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00 385024]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"TNodUPfinder"="C:\prevodi\January 2008\TNOD-U&P.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2007-12-16 02:13:02 1817]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bctcpevy]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrqqo]
rqrrqqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32]
winjks32.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"30b4ac3b"=rundll32.exe "C:\WINDOWS\system32\ptcgidtt.dll",b

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 10:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10:03]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-12 22:47]
S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2005-06-14 13:44]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 07:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-17 07:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-17 07:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 04:37:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-02-04 15:14:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-02-04 15:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 14:18:16
.
2008-02-02 22:54:30 --- E O F ---

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Spakuj mi sledece fajlove u jedan ZIP:

C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\qblsvshu.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\ssttt.dll
C:\prevodi\January 2008\TNOD-U&P.exe
C:\WINDOWS\system32\ptcgidtt.dll
C:\WINDOWS\system32\bctcpevy
C:\WINDOWS\system32\rqrrqqo
C:\WINDOWS\system32\winjks32

Uploaduj mi ih preko sledece forme:
http://www.mycity.rs/ambulanta-upload.php

offline
  • BCC 
  • Novi MyCity građanin
  • Pridružio: 04 Feb 2008
  • Poruke: 11

Ni jedan fajl ne mogu da nađem ni pretraživanjem windows32 ni celog kompjutera. Fajl C:\prevodi\January 2008\TNOD-U&P.exe je obrisan zajedno sa folderom još pre ovog skena. Mislim da su ostali fajlovi iz karantina AVG koji je deinstaliran. Još uvek kad startujem windows a kad je uključen internet kaspersky daje isto obaveštenje Status:riskware Mass mailer software (Object: C:\Windows\system32\services.exe) i kad se pojavi popup sa tim obaveštenjem onda ceo kompjuter zakoči i ne može ništa da se otvori. Kad nema interneta onda radi sve normalno. Spybot i dalje pokazuje da ima Win32.Tiny.abk. U safe modu ne smeta kad je kompjuter na internetu. Napominjem da imam stalnu konekciju sa internetom.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Kolega je trenutno zauzet, stoga ću ti ja dati dalja uputstva...



1. Otvoriti Notepad i iskopirati sledeci tekst:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{465BABC8-E944-4239-ABA4-B9BB24C99823}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59937702-7d5c-42d6-a727-398a136936dc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74B21226-67B5-4E4C-A4EF-5AD6485C66C7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9F1211FA-5403-4A38-8DC0-A29E8034ACEE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0D3FB0A-62AD-432B-880C-2667B0027CFB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TNodUPfinder"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bctcpevy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrqqo]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"30b4ac3b"=-



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



-------------------------------------------------------------------------------------

2.

BCC ::Spybot i dalje pokazuje da ima Win32.Tiny.abk.

Šta tačno SpyBot detektuje - treba mi naziv/lokacija file-a.



-------------------------------------------------------------------------------------




3. Takođe, uradi i sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Priloži uz poruku ta dva file-a koja si snimio (koristi opciju Prikači fajl).

offline
  • BCC 
  • Novi MyCity građanin
  • Pridružio: 04 Feb 2008
  • Poruke: 11

1.

ComboFix 08-02.03.1 - Biljanko 2008-02-06 2:21:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1575 [GMT 1:00]
Running from: C:\Documents and Settings\Biljanko\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Biljanko\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-03 15:28 . 2008-02-03 15:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-03 15:07 . 2008-02-03 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-03 15:05 . 2008-02-03 15:05 <DIR> d-------- C:\kav
2008-02-01 03:20 . 2008-02-01 03:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-01 03:20 . 2008-02-06 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-31 20:48 . 2008-01-31 20:50 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-31 17:17 . 2008-01-31 17:14 691,545 --a------ C:\WINDOWS\unins000.exe
2008-01-31 17:17 . 2008-01-31 17:17 3,455 --a------ C:\WINDOWS\unins000.dat
2008-01-31 17:08 . 2008-01-31 17:08 70,129 --------- C:\AVG7QT.DAT
2008-01-31 16:57 . 2008-01-31 16:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-31 16:57 . 2008-02-03 14:52 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\AVG7
2008-01-31 16:56 . 2008-02-03 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-31 15:57 . 2008-01-31 15:57 109,248 --a------ C:\WINDOWS\system32\MSWINSCN.OCX
2008-01-31 15:39 . 2008-01-31 15:39 <DIR> d-------- C:\WINDOWS\Web Download
2008-01-31 06:58 . 2008-01-31 06:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-31 06:58 . 2008-02-04 04:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 06:38 . 2008-01-31 06:38 <DIR> d-------- C:\Program Files\CCleaner
2008-01-31 04:43 . 2008-02-03 12:04 329 --a------ C:\WINDOWS\wininit.ini
2008-01-31 03:37 . 2008-01-31 03:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-31 03:03 . 2008-01-31 03:03 54,764 --a------ C:\WINDOWS\system32\btstack.ibs
2008-01-31 03:03 . 2008-01-31 03:03 2 --a------ C:\817147028
2008-01-25 00:08 . 2008-01-25 00:32 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Ableton
2008-01-25 00:08 . 2008-01-25 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ableton
2008-01-25 00:07 . 2006-09-27 20:21 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-01-25 00:06 . 2008-01-25 00:32 <DIR> d-------- C:\Program Files\Ableton
2008-01-24 23:50 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-24 23:50 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-24 23:47 . 2008-01-24 23:47 <DIR> d-------- C:\WINDOWS\system32\INF
2008-01-24 23:47 . 2005-06-14 13:44 85,504 --a------ C:\WINDOWS\system32\ma_cmidn.dll
2008-01-24 23:47 . 2005-06-14 13:44 21,888 --a------ C:\WINDOWS\system32\drivers\ma_cmidi.sys
2008-01-24 23:47 . 2005-06-14 13:44 17,920 --a------ C:\WINDOWS\system32\MA_CMIDI.DLL
2008-01-24 23:47 . 2005-06-14 13:44 14,176 --a------ C:\WINDOWS\system32\MA_CMIDI.DRV
2008-01-24 23:47 . 2005-06-14 13:44 7,282 --a------ C:\WINDOWS\system32\MA_CMIDI.VXD
2008-01-24 23:46 . 2008-01-24 23:47 <DIR> d-------- C:\Program Files\M-Audio MA_CMIDI
2008-01-21 04:28 . 2008-01-21 04:28 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-01-16 15:56 . 2008-01-22 01:01 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-16 15:49 . 2008-01-16 15:58 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Ahead
2008-01-16 15:48 . 2008-01-16 15:48 <DIR> d-------- C:\Program Files\Nero
2008-01-16 15:48 . 2008-01-16 15:49 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-14 03:34 . 2008-01-14 03:34 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\Uniblue
2008-01-13 16:13 . 2008-01-13 16:13 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\ATI
2008-01-13 04:03 . 2008-01-13 04:03 <DIR> d-------- C:\Documents and Settings\Biljanko\WINDOWS
2008-01-13 03:58 . 2008-01-13 16:09 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\SlipStream
2008-01-13 03:52 . 2008-02-01 05:07 <DIR> d-------- C:\torrent
2008-01-12 18:44 . 2008-01-13 03:18 <DIR> d-------- C:\Incomplete
2008-01-12 18:41 . 2008-01-13 02:52 <DIR> d-------- C:\LimeWire fileovi
2008-01-12 18:40 . 2008-01-12 18:40 <DIR> d-------- C:\Program Files\LimeWire
2008-01-12 18:40 . 2008-01-13 02:52 <DIR> d-------- C:\Documents and Settings\Biljanko\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 22:19 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\MailWasherPro
2008-02-01 14:54 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\uTorrent
2008-01-31 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 19:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-31 14:57 1,392,671 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2008-01-31 02:19 --------- d-----w C:\Program Files\uTorrent
2008-01-24 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 23:06 196,582 ----a-w C:\WINDOWS\system32\drivers\aStandard.bin
2007-12-26 02:07 --------- d-----w C:\Program Files\Stamina
2007-12-20 17:17 --------- d-----w C:\Program Files\XnView
2007-12-20 17:10 --------- d-----w C:\Program Files\AC3Filter
2007-12-20 17:03 --------- d-----w C:\Program Files\QuickTime Alternative
2007-12-20 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-20 17:02 --------- d-----w C:\Program Files\Real Alternative
2007-12-20 16:56 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-19 06:45 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-18 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Samsung
2007-12-18 21:22 --------- d-----w C:\Program Files\Samsung
2007-12-18 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\GRETECH
2007-12-18 02:29 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\GRETECH
2007-12-18 02:28 --------- d-----w C:\Program Files\GRETECH
2007-12-18 00:45 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Media Player Classic
2007-12-17 18:55 --------- d-----w C:\Program Files\Mv2Player
2007-12-17 02:02 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-17 02:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-17 00:28 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Corel
2007-12-17 00:12 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-17 00:06 --------- d-----w C:\Program Files\Corel
2007-12-16 23:42 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 02:17 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-16 02:16 --------- d-----w C:\Program Files\Java
2007-12-16 02:16 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\SystemRequirementsLab
2007-12-16 02:13 --------- d-----w C:\Program Files\Common Files\Java
2007-12-16 01:33 --------- d-----w C:\Program Files\HP
2007-12-16 01:14 --------- d-----w C:\Program Files\Common Files\HP
2007-12-16 01:12 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-16 01:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-16 00:40 --------- d-----w C:\Program Files\WinPcap
2007-12-15 23:02 --------- d-----w C:\Program Files\Webteh
2007-12-15 21:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-15 16:16 --------- d-----w C:\Program Files\Free Internet Window Washer
2007-12-15 15:33 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-15 15:21 --------- d-----w C:\Program Files\CD to MP3 Freeware
2007-12-15 13:58 --------- d-----w C:\Program Files\MailWasher
2007-12-15 01:18 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-14 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-14 21:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-14 21:57 --------- d-----w C:\Program Files\Windows Live
2007-12-14 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-14 21:28 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Talkback
2007-12-14 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-14 18:18 --------- d-----w C:\Program Files\Bonjour
2007-12-14 18:17 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-14 18:13 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-14 17:46 --------- d-----w C:\Program Files\Native Instruments
2007-12-14 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-13 17:29 --------- d-----w C:\Program Files\IK Multimedia
2007-12-13 17:20 --------- d-----w C:\Program Files\TCWorks
2007-12-13 17:09 --------- d-----w C:\Program Files\Antares Audio Technologies
2007-12-13 17:09 --------- d-----w C:\Program Files\Antares
2007-12-13 17:08 --------- d-----w C:\Program Files\Waves
2007-12-13 17:05 --------- d-----w C:\Program Files\Superwave
2007-12-13 16:56 --------- d-----w C:\Program Files\KORG
2007-12-13 16:56 --------- d-----w C:\Program Files\Common Files\KORG
2007-12-13 16:55 --------- d-----w C:\Program Files\Edirol
2007-12-13 16:54 --------- d-----w C:\Program Files\Way Out Ware
2007-12-13 16:54 --------- d-----w C:\Program Files\Arturia
2007-12-13 16:48 --------- d-----w C:\Program Files\Garritan Personal Orchestra
2007-12-13 15:47 --------- d-----w C:\Program Files\East West
2007-12-13 15:14 --------- d-----w C:\Program Files\Spectrasonics
2007-12-13 12:28 --------- d-----w C:\Program Files\Toontrack
2007-12-13 12:15 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-12-13 11:32 --------- d-----w C:\Program Files\Zero-G
2007-12-13 10:32 --------- d-----w C:\Program Files\Zards software
2007-12-13 09:57 --------- d-----w C:\Program Files\XLN Audio
2007-12-13 09:57 --------- d-----w C:\Program Files\Steinberg
2007-12-13 08:48 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Steinberg
2007-12-13 08:44 --------- d-----w C:\Program Files\Syncrosoft
2007-12-13 06:50 --------- d-----w C:\Program Files\M-Audio
2007-12-12 23:08 --------- d-----w C:\Documents and Settings\Biljanko\Application Data\Nero
2007-12-12 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-12 23:06 --------- d-----w C:\Program Files\Sony Setup
2007-12-12 23:05 --------- d-----w C:\Program Files\OO Software
2007-12-12 22:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-12 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-12-12 22:06 --------- d-----w C:\Program Files\My Company Name
2007-12-12 22:06 --------- d-----w C:\Program Files\ASUS
2007-12-12 22:04 --------- d-----w C:\Program Files\ATI Technologies
2007-12-12 22:01 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-12-12 21:58 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-12 21:49 --------- d-----w C:\Program Files\Realtek
2007-12-12 21:48 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-12 21:47 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-12 21:45 --------- d-----w C:\Program Files\Intel
2007-12-12 21:33 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28 139264]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 10:03 380928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43 56320]
"DeltTray"="DeltTray.exe" [2004-08-26 23:43 56320 C:\WINDOWS\system32\delttray.exe]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00 385024]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2007-12-16 02:13:02 1817]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 10:03]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10:03]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-12-12 22:47]
S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2005-06-14 13:44]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-17 07:04]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-17 07:05]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-17 07:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 00:37:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-02-06 02:23:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 2:23:41
ComboFix-quarantined-files.txt 2008-02-06 01:23:33
ComboFix2.txt 2008-02-04 14:21:49
.
2008-02-02 22:54:30 --- E O F ---

2.

Spybot je pronašao Win32.Tiny.abk dva ulaska
1.(SBI$C2ECF02B) Data
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp
2. (SBI$70B44025)Temporary file
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp

3.

mycity.rs/must-login.png


mycity.rs/must-login.png


Evo to bi bilo to. Hvala što se trudite da mi pomognete. Samo mi jedna da je nazovem tehnička stvar nije bila jasna da li je fajl koji je urađen trebao da se sačuva kao File1.txt ili File1.txt. (u prvom nema tačka na kraju a u drugom ima)? Ovi su sačuvani sa tačkom na kraju nadam se da ne pravi problem ako pravi uradiću sken i sačuvaću bez tačke na kraju. Možda je ta tačka u tvom postu bila kao kraj rečenice a mene je zbunila...
Takođe je kaspersky obaveštavao o: Riskware, Mass-mailing software, Running process (PID:1244)
C:\WINDOWS\system32\services.exe
Morala sam da ga deinstaliram pošto je pravio problem prilikom scana Combofixa a nisam mogla da pronađem opciju da ga deaktiviram dok radim scan.

Dopuna: 06 Feb 2008 3:50

Videh da treba bez tačke Smile. Ne znam da li pravi razliku ali da ne bi gubili vreme ako pravi ponovo ću postaviti fileove...


mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini program Avenger sa sledeceg linka:
http://swandog46.geekstogo.com/avenger.zip

Na prvom ekranu selektuj Input script manually pa klikni na ikonicu lupe.
U prozoru koji ce se pojaviti unesi sledeci tekst:
Drivers to unload:
btstack

Files to Delete:
C:\WINDOWS\system32\btstack.ibs


Klikni na dugme Done.
Vratice te na prvi ekran gde je sada potrebno kliknuti na ikonicu semafora.
Ukoliko ti program sam ne zatrazi restart, onda ti sam restartuj racunar (PC će se ukupno dva puta restartovati).

Kada proces bude završen, iskopiraj ovde sadržaj loga C:\avenger.txt koji će se otvoriti u Notepad-u.

offline
  • BCC 
  • Novi MyCity građanin
  • Pridružio: 04 Feb 2008
  • Poruke: 11

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yfhtseox

*******************

Script file located at: \??\C:\Program Files\wqnmwynw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver btstack unloaded successfully.
File C:\WINDOWS\system32\btstack.ibs deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

OK, izgleda da smo se rešili tvoga Riskware: Mass-mailing software-a... Smile


Hajde sada to da proverimo:


1. Ponovi Rootkit skeniranje Gmer-om (znači, samo prvo skeniranje - drugo nije potrebno) i priloži logfile uz poruku.


2. Ponovo pokreni ComboFix i postavi ovde logfile koji on napravi na kraju skeniranja.



Takođe, upload-uj sledeće file-ove:

C:\Avenger\avenger.zip
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp

korišćenjem ove forme: http://www.mycity.rs/ambulanta-upload.php

Ko je trenutno na forumu
 

Ukupno su 724 korisnika na forumu :: 23 registrovanih, 4 sakrivenih i 697 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: -[CoA]-, ArchaBasha, b_z_b, bladesu, BSD, DejanSt, Faki-Valjevo, GogiA, GreenMan, Lošmi, marsovac 2, mikki jons, milenko crazy north, nemkea71, Neutral-M, opt1, Rocker, slonic_tonic, SOVO515, vasa.93, voja64, Zadonbas, zlaya011