Opet!!!

Opet!!!

offline
  • Brok  Male
  • Moderator foruma
  • Mihajlo Bogdanović
  • Linux driver - fighter - warrior
  • Pridružio: 04 Maj 2005
  • Poruke: 3246

Eto nije sada da mi je kriv AV program ali od njega je sve pocelo. Uzeo sam jedan AV u trialu da ga istestiram (da navodno ne koci sistem kao ovaj stari) te da ga ako se dobro pokaze na kraju kupim, sada ga ne bih uzeo i da mi ga poklone. Nasao je nesto pri jednom dizanju sistema i potom nece da se digne normalno samo u Safe modu (i sada pisem iz njega). Ako moze neko da pogleda o cemu je rec. Preskenirao sa sistem sa Kaspersy Removal Tool (rekordnih 6 i po sati) i nasao mi je neke viruse, jedan od njih ne mogu da obrisem.




Evo ako se ne vidi dobro na screenshotu:

detected: Trojan program Trojan-Banker.Win32.Banker.jwg
File: C:\WINDOWS\system\system322.exe//UPack//#//UPX

Evo i HT loga:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:34, on 14.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-JFRQ8\is-JFRQ8.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\Nova fascikla (4)\TR3.exe..exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [srpskey] C:\WINDOWS\SYSTEM32\SRPSKEY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2009\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: FastStone Capture.lnk = C:\Program Files\FastStone Capture\FSCapture.exe
O4 - Startup: is-JFRQ8.lnk = C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\is-JFRQ8\startup.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5C.....7067499531
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 7448 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Brok  Male
  • Moderator foruma
  • Mihajlo Bogdanović
  • Linux driver - fighter - warrior
  • Pridružio: 04 Maj 2005
  • Poruke: 3246

ComboFix 08-12-12.05 - Administrator 2008-12-13 22:07:32.10 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1015.653 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-13 21:53 . 2008-12-13 21:53 250 --a------ c:\windows\gmer.ini
2008-12-13 08:57 . 2008-12-13 18:09 <DIR> d-------- c:\program files\profile
2008-12-13 08:57 . 2008-12-13 18:09 <DIR> d-------- c:\program files\mail
2008-12-12 21:15 . 2008-12-13 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\RFA_Backups
2008-12-12 21:14 . 2008-12-12 21:14 <DIR> d-------- c:\program files\RFA
2008-12-12 07:21 . 2008-12-12 07:21 5,120 --ahs---- c:\windows\Thumbs.db
2008-12-11 18:16 . 2008-12-13 17:19 <DIR> d-------- c:\program files\ESET
2008-12-11 18:16 . 2008-12-11 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-11 17:57 . 2008-12-11 17:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TypingMaster7
2008-12-11 17:56 . 2008-12-12 07:21 <DIR> dr------- c:\program files\TypingMaster
2008-12-10 15:53 . 2008-12-10 17:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GetRightToGo
2008-12-10 15:50 . 2008-12-10 15:51 <DIR> d-------- c:\program files\MSECache
2008-12-09 15:43 . 2008-12-09 15:43 698,880 --a------ c:\windows\is-HON84.exe
2008-12-09 15:43 . 2008-12-09 15:43 10,517 --a------ c:\windows\is-HON84.msg
2008-12-09 15:43 . 2008-12-09 15:43 309 --a------ c:\windows\is-HON84.lst
2008-12-08 09:09 . 2008-12-08 09:15 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-08 07:27 . 2008-12-08 07:27 0 --a------ c:\windows\Twunk002.MTX
2008-12-08 07:12 . 2008-12-08 07:12 <DIR> d-------- c:\windows\PrimoPDF4
2008-12-08 07:12 . 2008-12-08 07:12 <DIR> d-------- c:\program files\activePDF
2008-12-06 06:14 . 2008-12-08 04:04 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 06:14 . 2008-12-08 04:04 1,409 --a------ c:\windows\QTFont.for
2008-12-04 05:12 . 2008-12-04 05:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2008-12-04 05:12 . 2008-08-28 13:16 71,184 --a------ c:\windows\system32\drivers\DefragFS.sys
2008-12-04 05:11 . 2008-12-04 05:12 <DIR> d-------- c:\program files\Raxco
2008-12-04 02:35 . 2008-12-04 02:35 1,964 --a------ c:\windows\ST5UNST.001
2008-12-04 01:21 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-04 01:21 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-04 01:21 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-04 01:21 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-04 01:21 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-04 01:21 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-04 01:21 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-01 14:00 . 2008-12-02 07:20 <DIR> d-------- c:\program files\VDJ5
2008-11-29 07:18 . 2008-11-29 07:18 <DIR> d-------- c:\program files\MSBuild
2008-11-29 07:08 . 2008-11-29 07:08 <DIR> d-------- c:\windows\system32\XPSViewer
2008-11-29 07:04 . 2008-11-29 07:04 <DIR> d-------- c:\program files\Reference Assemblies
2008-11-29 07:03 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-11-27 14:17 . 2008-11-27 14:17 <DIR> d-------- c:\program files\PostgreSQL
2008-11-27 01:55 . 2008-12-13 17:51 <DIR> d-------- c:\program files\Trojan Remover
2008-11-27 01:55 . 2008-11-27 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-27 01:55 . 2008-11-27 01:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-27 01:55 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-11-27 01:55 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-11-27 01:55 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-11-27 01:55 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2008-11-24 02:18 . 2008-11-27 23:35 754 --a------ c:\windows\WORDPAD.INI
2008-11-24 00:10 . 2008-11-27 04:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Winamp
2008-11-23 05:30 . 2008-12-12 07:21 <DIR> d-------- c:\program files\ImageShackToolbar
2008-11-22 22:34 . 2008-11-22 22:34 <DIR> d-------- c:\program files\Neat Image
2008-11-21 08:31 . 2008-11-21 08:31 <DIR> d-------- c:\program files\Foxit Software
2008-11-21 08:31 . 2008-11-21 08:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Foxit
2008-11-21 06:39 . 2008-12-08 04:54 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2008-11-21 06:39 . 2008-11-21 06:39 603,904 --a------ c:\windows\system32\TUProgSt.exe
2008-11-21 06:39 . 2008-11-21 06:39 362,240 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-11-21 06:39 . 2008-11-12 16:44 27,904 --a------ c:\windows\system32\uxtuneup.dll
2008-11-21 06:38 . 2008-11-21 06:38 <DIR> d--hs---- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-21 05:49 . 2008-11-21 05:49 8,294,454 --a------ c:\windows\startup.bmp
2008-11-21 05:49 . 2006-04-06 17:54 218,624 --a------ c:\windows\system32\uxtheme.backup
2008-11-21 05:40 . 2008-11-21 05:50 <DIR> d-------- c:\windows\VistaMizer
2008-11-20 07:28 . 2008-11-20 09:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IDM
2008-11-20 07:28 . 2008-11-22 22:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DMCache
2008-11-20 07:28 . 2008-11-20 06:41 206,256 --a------ c:\windows\system32\idmmbc.dll
2008-11-19 06:27 . 2008-11-19 06:27 <DIR> d-------- c:\windows\system32\msmq
2008-11-19 05:02 . 2008-11-19 05:02 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-19 04:08 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-11-17 21:04 . 2008-11-17 21:04 2,306,113 --a------ c:\windows\system32\GPhotos.scr
2008-11-17 09:26 . 2008-11-17 09:26 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-17 03:34 . 2008-11-17 03:34 <DIR> d-------- c:\program files\Common Files\NSV
2008-11-17 03:18 . 2008-11-17 03:18 <DIR> d-------- c:\program files\SpacialAudio
2008-11-17 03:18 . 2005-09-23 00:05 626,688 --a------ c:\windows\system32\msvcr80.dll
2008-11-17 03:18 . 2005-09-23 00:05 548,864 --a------ c:\windows\system32\msvcp80.dll
2008-11-16 19:57 . 2006-06-01 19:47 163,840 -----c--- c:\windows\system32\dllcache\jgdw400.dll
2008-11-16 19:57 . 2006-06-01 19:47 27,648 -----c--- c:\windows\system32\dllcache\jgpl400.dll
2008-11-16 19:54 . 2008-06-13 14:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-11-16 19:54 . 2008-06-13 14:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-11-16 19:50 . 2008-08-14 11:00 2,437,504 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-16 19:50 . 2008-08-14 10:22 2,314,880 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-16 19:50 . 2008-08-14 10:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-16 19:50 . 2008-08-14 10:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-16 19:33 . 2008-10-24 12:25 455,936 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 17:01 . 2008-12-12 08:30 <DIR> d-------- c:\program files\SHOUTcast
2008-11-16 13:37 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-16 13:37 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-11-16 13:37 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-16 13:37 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-11-16 13:37 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 19:52 --------- d-----w c:\program files\Spy Cleaner Platinum
2008-12-13 19:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-13 16:23 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-13 11:20 --------- d-----w c:\documents and settings\All Users\Application Data\Bitmeter2
2008-12-12 13:47 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2008-12-12 11:24 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2008-12-12 06:21 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-12 06:21 --------- d-----w c:\program files\WinWatermark 2
2008-12-12 06:21 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-12 06:21 --------- d-----w c:\program files\RegCure
2008-12-12 06:21 --------- d-----w c:\program files\Mouse
2008-12-12 06:21 --------- d-----w c:\program files\Free Photo Resizer
2008-12-12 06:21 --------- d-----w c:\program files\FastStone Image Viewer
2008-12-12 06:21 --------- d-----w c:\program files\FastStone Capture
2008-12-12 06:21 --------- d-----w c:\program files\ClocX
2008-12-11 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-08 03:01 --------- d-----w c:\documents and settings\Administrator\Application Data\Thinstall
2008-12-04 02:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-01 11:16 --------- d-----w c:\program files\Winamp
2008-11-25 22:18 --------- d-----w c:\program files\WinASO
2008-11-25 06:34 --------- d-----w c:\program files\Rosetta Stone
2008-11-25 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2008-11-25 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-24 07:02 304,182 ----a-w C:\StiImg.dat
2008-11-21 04:49 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-11-20 04:13 --------- d-----w c:\program files\IObit
2008-11-20 03:50 --------- d-----w c:\program files\uTorrent
2008-11-20 03:50 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2008-11-20 03:49 --------- d-----w c:\program files\Thoosje Vista Sidebar
2008-11-20 03:49 --------- d-----w c:\program files\ABBYY FineReader 8.0 Professional Edition
2008-11-20 03:15 --------- d-----w c:\documents and settings\Administrator\Application Data\IObit
2008-11-20 00:31 --------- d-----w c:\documents and settings\Administrator\Application Data\BSplayer PRO
2008-11-19 20:54 --------- d-----w c:\program files\Google
2008-11-15 19:11 --------- d-----w c:\program files\Trillian
2008-11-12 02:48 --------- d-----w c:\program files\Invisible Browsing
2008-11-11 20:48 --------- d-----w c:\documents and settings\Administrator\Application Data\Pamela
2008-11-10 13:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Nero
2008-11-10 13:27 --------- d-----w c:\program files\Nero 9
2008-11-10 13:27 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 13:23 --------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM
2008-11-09 09:18 --------- d-----w c:\documents and settings\All Users\Application Data\3DWA_L
2008-11-09 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-09 06:02 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-09 05:27 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-05 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\RosettaStoneLtdBackup
2008-11-04 22:07 --------- d-----w c:\program files\Common Files\Acronis
2008-11-04 21:48 --------- d-----w c:\program files\Common Files\ACD Systems
2008-11-02 19:58 --------- d-----w c:\program files\ICQ6
2008-11-02 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-01 02:50 --------- d-----w c:\program files\The_Pirate_Bay
2008-10-30 16:55 --------- d-----w c:\program files\Opera
2008-10-30 00:22 --------- d-----w c:\documents and settings\Administrator\Application Data\Acronis
2008-10-30 00:02 --------- d-----w c:\documents and settings\All Users\Application Data\Acronis
2008-10-30 00:00 971,168 ----a-w c:\windows\system32\drivers\tdrpm140.sys
2008-10-29 23:59 540,000 ----a-w c:\windows\system32\drivers\timntr.sys
2008-10-29 23:59 44,704 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2008-10-25 22:57 --------- d-----w c:\documents and settings\Administrator\Application Data\ACD Systems
2008-10-25 22:56 --------- d-----w c:\program files\Yahoo!
2008-10-25 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2008-10-24 11:25 455,936 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:51 284,160 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 334,872 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-14 15:29 --------- d-----w c:\program files\Conduit
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 09:45 796,672 ----a-w c:\windows\GPInstall.exe
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 06:05 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-09-22 05:04 73,983 ----a-w c:\windows\WinVerCheck.exe
2008-09-15 12:17 1,846,912 ----a-w c:\windows\system32\win32k.sys
2007-12-17 02:11 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2005-07-14 19:31 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2007-10-10 23:28 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 25088]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2009\MemOptimizer.exe" [2008-11-20 155904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2004-01-21 103936]
"srpskey"="c:\windows\SYSTEM32\SRPSKEY.EXE" [2007-05-04 35840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-23 185896]
"rfagent"="c:\program files\RFA\rfagent.exe" [2007-12-04 916800]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 25088]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2008-05-07 1008128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SHOUTcast\\sc_serv.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
R3 HidMouse;HidMouse;c:\windows\system32\Drivers\HidMouse.sys [2008-02-03 34585]
S2 PD91Agent;PD91Agent;"c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-09-09 693512]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-11-21 603904]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2008-06-12 14336]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-05 30192]
S3 PD91Engine;PD91Engine;"c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-09-09 906504]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - GMER
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2008-12-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 18:38]

2008-12-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-07-26 20:37]

2008-12-13 c:\windows\Tasks\User_Feed_Synchronization-{61EDF5FA-C82B-4023-8C2B-44D92736E24F}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 03:05]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM
IE: Download FLV video content with IDM
IE: Download with IDM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
LSP: c:\windows\system32\idmmbc.dll

- c:\windows\Downloaded Program Files\ImageShackToolbar.osd

- hxxp://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gfaxb2ht.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 22:09:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888-)
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll
c:\windows\system32\ac3acm.acm
.
Completion time: 2008-12-13 22:10:44
ComboFix-quarantined-files.txt 2008-12-13 21:09:48

Pre-Run: 13.491.486.720 bytes free
Post-Run: 13,623,373,824 bytes free

301 --- E O F --- 2008-12-12 08:54:19

Jedva sam ovo upostovao, restratovao sam sistem ali opet nije hteo da ga digne normalno vec u Safe modu. Evo sta mi je uporno davalo po skeniranju te nisam mogao da upostujem nista (u svakom web pregledniku), tek sada kada sam ga restartovao:

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ovako... Ovde nema aktivnog malware-a.


Ta greška sa screenshot-a je vezana za Internet Download Manager.


Preporučio bih ti da iskoristiš System Restore za povratak na trenutak pre nastanka problema.

Ukoliko nakon toga bude problema sa malware-om, javi se u temi.

offline
  • Brok  Male
  • Moderator foruma
  • Mihajlo Bogdanović
  • Linux driver - fighter - warrior
  • Pridružio: 04 Maj 2005
  • Poruke: 3246

Nisam uspeo da vratim sistem pomoću Oporavka sistema jel nije bilo konfigurisane povratne tačke, kako to nije mi nikako jasno.

Inače uspeo sam nekako da podignem sistem normalno, čisteći registry i slično. Videću kako će se ponašati ovih dana pa ću se javiti.


U svakom slučaju veliko hvala na pomoći i utrošenom trudi. Very Happy

Dopuna: 15 Dec 2008 9:15

Edit:
Sada sve koliko sam moga da primetim radi kako bi trebalo, stari AV mi je našao još nešto ali to nije bila pretnja, znam o čemu je reč (bez obzira sve sam obrisao). Da li ima potrebe da opet postavim HT log da ga pregledaš.

Combofix sam deistalirao preko komande:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK

Imam još jedno pitanje, mada nije mesto baš za ovaj forum ali da ne otvaram novu temu samo zbog toga. Pre više meseci kada je izašao Safari za Win XP instalirao sam ga da ga isprobam i brzo potom deinstalirao jer ne donosi ništa novo, činimi se da mi od tada radi nepotrebno jedan servis, mislim na O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
Pitanje je da li smem da ga isključim tj obrišem?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ukoliko ne postoji neki konkretan problem, log nije potreban.

Što se tiče servisa... Mislim da on biva instaliran uz iTunes (a možda i uz neki drugi Apple-ov program).

Ako smatraš da ti je nepotreban, potraži u Add/Remove programs da li postoji mogućnost da se deinstalira. Ako ne postoji, i ako želiš da ga zaustaviš:

Start > Run:

services.msc


Pronađi Bonjour Service i postavi ga na Disabled.

offline
  • Brok  Male
  • Moderator foruma
  • Mihajlo Bogdanović
  • Linux driver - fighter - warrior
  • Pridružio: 04 Maj 2005
  • Poruke: 3246

Ok, onda nema potrebe jer je sve kako treba. Za servis sam svatio.

Još jednom puno hvala za pomoć. Very Happy

Ko je trenutno na forumu
 

Ukupno su 435 korisnika na forumu :: 5 registrovanih, 0 sakrivenih i 430 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 221 Fireball, cikadeda, Marko Marković, mikki jons, vasa.93