Problem sa Security Alertom!

Problem sa Security Alertom!

offline
  • Pridružio: 23 Jan 2008
  • Poruke: 65
  • Gde živiš: Beograd

Logfile of HijackThis v1.99.1
Scan saved at 12:01:30, on 30.6.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Web Technologies\wcs.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Web Technologies\wcm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\New Folder\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1} - C:\Program Files\Web Technologies\iebt.dll
O3 - Toolbar: Internet Service - {85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Program Files\Web Technologies\iebr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{748EEF27-55CB-4BFB-BCC7-73268572A678}: NameServer = 192.168.0.11,91.150.90.2,91.150.90.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{748EEF27-55CB-4BFB-BCC7-73268572A678}: NameServer = 192.168.0.11,91.150.90.2,91.150.90.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{748EEF27-55CB-4BFB-BCC7-73268572A678}: NameServer = 192.168.0.11,91.150.90.2,91.150.90.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service (file missing)



Evo i izvestaja ComboFix-a

ComboFix 08-06-20.4 - User 2008-06-30 12:08:06.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 11:12 . 2008-06-30 11:12 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-30 11:12 . 2008-06-30 11:12 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-30 09:39 . 2008-06-30 09:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-30 09:39 . 2008-06-30 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 09:38 . 2008-06-30 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 09:34 . 2008-06-30 10:08 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-29 09:50 . 2008-06-30 08:48 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp
2008-06-29 09:33 . 2008-06-30 10:06 <DIR> d-------- C:\Program Files\Web Technologies
2008-06-27 13:55 . 2008-06-27 14:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-27 13:20 . 2008-06-27 13:20 <DIR> d---s---- C:\Documents and Settings\User\UserData
2008-06-24 11:47 . 2008-06-24 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 06:57 . 2008-05-08 14:14 203,008 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-28 13:50 . 2008-05-28 13:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-28 13:50 . 2008-05-28 13:50 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-03 07:49 . 2008-05-03 07:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 10:10 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-06-30 07:08 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-30 11:07 --------- d-----w C:\Documents and Settings\User\Application Data\TeamViewer
2008-04-30 11:06 --------- d-----w C:\Program Files\TeamViewer3
2008-04-30 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-02-13 10:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_11.10.07,26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 09:03:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 09:50:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 09:51:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1}]
2008-06-30 10:03 7680 --a------ C:\Program Files\Web Technologies\iebt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{85BDD81D-31FD-4A6B-A73C-3955B128D2EC}"= "C:\Program Files\Web Technologies\iebr.dll" [2008-06-29 09:33 85504]

[HKEY_CLASSES_ROOT\clsid\{85bdd81d-31fd-4a6b-a73c-3955b128d2ec}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{85BDD81D-31FD-4A6B-A73C-3955B128D2EC}"= C:\Program Files\Web Technologies\iebr.dll [2008-06-29 09:33 85504]

[HKEY_CLASSES_ROOT\clsid\{85bdd81d-31fd-4a6b-a73c-3955b128d2ec}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"= C:\Program Files\Web Technologies\wcs.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4}"= C:\WINDOWS\system32\jhzpcn.dll [2008-06-28 14:46 13312]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-30 12:10:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 12:12:04
ComboFix-quarantined-files.txt 2008-06-30 10:11:58
ComboFix2.txt 2008-06-30 09:10:23

Pre-Run: 14,754,377,728 bytes free
Post-Run: 14,745,673,728 bytes free

94 --- E O F --- 2008-06-28 12:48:12

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Dobro, kazi mi sada kako ja da se vise snadjem kada nisi pratio uputstva?
Jel receno bilo gde da skeniras ComboFixom?
Ovo sto ja sada vidim je da ti ovo nije prvo skeniranje ComboFixom, i da je on pri prethodnim skeniranjima nasto vec brisao...

Nadji sada na HD-u gde ti je prethodni log ComboFix-a, otvori ga u Notepadu i iskopiraj mi ovde sadrzaj loga. Prethodni log nosi ime ComboFix2.txt

offline
  • Pridružio: 23 Jan 2008
  • Poruke: 65
  • Gde živiš: Beograd

Bolje ti meni kazi kako da se izborim sa ovom napascu? :-)

Evo i prvog log-a ComboFix-a:

ComboFix 08-06-20.4 - User 2008-06-30 11:07:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.66 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 09:39 . 2008-06-30 09:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-30 09:39 . 2008-06-30 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 09:38 . 2008-06-30 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 09:34 . 2008-06-30 10:08 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-29 09:50 . 2008-06-30 08:48 0 --a------ C:\WINDOWS\system32\ieupdates.exe.tmp
2008-06-29 09:33 . 2008-06-30 10:06 <DIR> d-------- C:\Program Files\Web Technologies
2008-06-27 13:55 . 2008-06-27 14:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-27 13:20 . 2008-06-27 13:20 <DIR> d---s---- C:\Documents and Settings\User\UserData
2008-06-24 11:47 . 2008-06-24 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 06:57 . 2008-05-08 14:14 203,008 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-28 13:50 . 2008-05-28 13:50 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-28 13:50 . 2008-05-28 13:50 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-03 07:49 . 2008-05-03 07:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 09:04 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-06-30 07:08 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM
2008-06-28 12:46 13,312 --s-a-w C:\WINDOWS\system32\jhzpcn.dll
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-30 11:07 --------- d-----w C:\Documents and Settings\User\Application Data\TeamViewer
2008-04-30 11:06 --------- d-----w C:\Program Files\TeamViewer3
2008-04-30 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 08:09 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 08:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-25 08:20 219,936 ------w C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-13 10:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1}]
2008-06-30 10:03 7680 --a------ C:\Program Files\Web Technologies\iebt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{85BDD81D-31FD-4A6B-A73C-3955B128D2EC}"= "C:\Program Files\Web Technologies\iebr.dll" [2008-06-29 09:33 85504]

[HKEY_CLASSES_ROOT\clsid\{85bdd81d-31fd-4a6b-a73c-3955b128d2ec}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{85BDD81D-31FD-4A6B-A73C-3955B128D2EC}"= C:\Program Files\Web Technologies\iebr.dll [2008-06-29 09:33 85504]

[HKEY_CLASSES_ROOT\clsid\{85bdd81d-31fd-4a6b-a73c-3955b128d2ec}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"= C:\Program Files\Web Technologies\wcs.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4}"= C:\WINDOWS\system32\jhzpcn.dll [2008-06-28 14:46 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18417827569742099510910738452678]
C:\Program Files\XP Antivirus\xpa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-06-30 11:08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 11:10:22
ComboFix-quarantined-files.txt 2008-06-30 09:10:19

Pre-Run: 14,712,950,784 bytes free
Post-Run: 14,719,377,408 bytes free

101 --- E O F --- 2008-06-28 12:48:12

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\jhzpcn.dll
C:\WINDOWS\system32\ieupdates.exe.tmp

Folder::
C:\Program Files\Web Technologies\
C:\Program Files\XP Antivirus\

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8301AF7-D00E-4EA4-87C1-5FF4644FBBA1}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"some"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2a7a8ce2-1eaf-4fc0-9158-958bb6bfa5c4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\18417827569742099510910738452678]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 23 Jan 2008
  • Poruke: 65
  • Gde živiš: Beograd

Sto se tice "crvenog stita" nema ga vise, evo i ComboFix-ovog log-a:

ComboFix 08-06-30.2 - User 2008-07-02 8:49:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.89 [GMT 2:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\system32\jhzpcn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ieupdates.exe.tmp
C:\WINDOWS\system32\jhzpcn.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-06-30 15:55 . 2008-06-30 15:59 <DIR> d-------- C:\Program Files\Panda Security
2008-06-30 14:42 . 2008-06-30 14:42 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-30 11:12 . 2008-06-30 11:12 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-06-30 11:12 . 2008-06-30 11:12 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-30 09:39 . 2008-06-30 09:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-30 09:39 . 2008-06-30 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 09:38 . 2008-06-30 09:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 09:34 . 2008-06-30 10:08 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-27 13:55 . 2008-06-27 14:51 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-27 13:20 . 2008-06-27 13:20 <DIR> d---s---- C:\Documents and Settings\User\UserData
2008-06-24 11:47 . 2008-06-24 11:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-11 06:57 . 2008-05-08 14:14 203,008 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:56 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 06:52 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-07-02 06:09 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM
2008-06-30 13:38 --------- d-----w C:\Program Files\TeamViewer3
2008-05-28 11:50 --------- d-----w C:\Program Files\Common Files\Skype
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:14 203,008 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-05-03 05:49 --------- d-----w C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-04-17 10:46 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2008-02-13 10:24 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-30_11.10.07,26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 09:03:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 04:47:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 14:35:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-30 13:47:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 06:42 577536 C:\WINDOWS\soundman.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []

.
- - - - ORPHANS REMOVED - - - -

Toolbar-{85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Program Files\Web Technologies\iebr.dll
WebBrowser-{85BDD81D-31FD-4A6B-A73C-3955B128D2EC} - C:\Program Files\Web Technologies\iebr.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-07-02 08:51:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 8:53:40
ComboFix-quarantined-files.txt 2008-07-02 06:53:37
ComboFix2.txt 2008-06-30 10:12:06
ComboFix3.txt 2008-06-30 09:10:23

Pre-Run: 14,562,168,832 bytes free
Post-Run: 14,565,916,672 bytes free

96 --- E O F --- 2008-06-28 12:48:12

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

offline
  • Pridružio: 23 Jan 2008
  • Poruke: 65
  • Gde živiš: Beograd

Odradio sam i poslednji korak, za sada ne primecujem bilo kakve probleme u radu.

Hvala Vam puno.

Ko je trenutno na forumu
 

Ukupno su 1039 korisnika na forumu :: 52 registrovanih, 8 sakrivenih i 979 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., Ben Roj, brundo65, dankisha, darkangel, deimos25, djboj, dmdr, Doca, Dragan1998, dragoljub11987, DragoslavS, elenemste, Fog of War, Frunze, ikan, ivan979, kunktator, kybonacci, Litostroton, LUDI, Luka Blažević, Marko Marković, marsovac 2, mercedesamg, milenko crazy north, nebkv, nemkea71, Neretva, oldtimer, Parker, Romibrat, sap, sasa87, slonic_tonic, srbijaiznadsvega, Steeeefan, stegonosa, taz1cl, tmanda323, Tvrtko I, vathra, Vatreni Zmaj, Vlad000, voja64, wolf431, Zi0mek, zillbg, zixmix, zlaya011, 125, 79693