Problem sa nepoznatim mailovima

2

Problem sa nepoznatim mailovima

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Izvini. Bio sam zaboravio da deštrikiram hide file extensions for known types, ali sad sam to uradio pa opet ga ne vidim. Ova dva sam obrisao.

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Pokreni HJT, uradi "Do a system scan only" pronađi i označi sledeće linije:

O2 - BHO: (no name) - {5488E24F-B8E4-43B7-8726-F314FF7FEE98} - c:\windows\system32\dmhadmh.dll (file missing)
O2 - BHO: MS Explorer - {9B5A95FA-DFAF-31AB-A1AF-8A9FA7F8A98E} - C:\WINDOWS\system\wmecst32.dll (file missing)
O4 - HKLM\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O4 - HKLM\..\Run: [mrwmhlft] C:\WINDOWS\system32\mrwmhlft.exe
O20 - Winlogon Notify: poibqqbc - dmhadmh.dll (file missing)

Klikni na "Fix Checked".
Kada to uradiš, restartuj računar, snimi i pošalji mi svež HJT log da vidim razvoj situacije..

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Evo loga:

Logfile of HijackThis v1.99.1
Scan saved at 13:34:18, on 7.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{D660466C-1657-4E6A-A875-9CC99599089F}\Blaero Start Orb.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{9AEE1512-EBB3-4453-BF94-DD48873A58FF}\sidebar.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vlado\Desktop\vlado1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = kingkongsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5488E24F-B8E4-43B7-8726-F314FF7FEE98} - c:\windows\system32\dmhadmh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: poibqqbc - dmhadmh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Imao si nekoliko različitih infekcija na racunaru, nesto smo sredili ali ima još toga. Trebalo bi da ovo bude poslednji korak ako sve protekne kako treba. Postupi po ovom uputstvu ispod.
------------------------

VundoFix:
http://www.atribune.org/ccount/click.php?id=4

* Dvoklikom se startuje fajl VundoFix.exe.
* Izabere opcija Scan for Vundo.
* Posle završenog skeniranja i pojave poruke Done Searching for files klikne se na OK.
* Sada, kada je skeniranje obavljeno potrebno je kliknuti na opciju Remove Vundo.
* Po pojavljivanju upita o uklanjaju Vundo fajlova klikne se na Yes.
* Pokretanje ove opcije učiniće Desktop privremeno praznim u cilju pripreme sistema za uklanjanje Vundo-a.
* Po završetku, pojaviće se obaveštenje o gašnjenju računara, klikne se OK.
* Uključi se računar i podigne sistem iznova.
* Iskopira se sadržaj loga sa putanje C:\vundofix.txt i novi HiJackThis log u poruku na forumu.

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Evo sadrzaja C:\vundofix.txt ali nije mi doslo do gubljenja ikonica sa desktop-a niti je trazen reset a mislim da sam sve uradio kao sto si mi rekao


VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 13:50:31 7.5.2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 14:00:20 7.5.2007

Listing files found while scanning....




evo i loga:

Logfile of HijackThis v1.99.1
Scan saved at 14:10:57, on 7.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\LClock\LClock.exe
C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{89885CB2-0AFC-44C2-A371-60D7A15DB4B5}\sidebar.exe
C:\DOCUME~1\vlado\LOCALS~1\Temp\{140AB7D0-354E-40A2-9E10-ABC1EDD21B93}\Blaero Start Orb.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\vlado\Desktop\vlado2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = kingkongsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = windowsxlive.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5488E24F-B8E4-43B7-8726-F314FF7FEE98} - c:\windows\system32\dmhadmh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nikbanka.cg.rs
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F5325BC-2881-4CE2-9419-BF5F4C41D508}: NameServer = 172.16.1.5,172.16.1.15
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: poibqqbc - dmhadmh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)

Ako sam nesto pogrijesio reci mi da ispravim. Izvini unaprijed

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Hmm.. Confused Prema malicioznim 02 i 020 linijama sam posumnjao na Vundo (to mu je glavna karakteristika) ali te infekcije ili nema na tvom računaru ili je ovo neka novija verzija koju ne detektuje taj fix. Zato ti i nije tražio restart. Otežava mi i to što nemam fajl, koji bih proverio i znao o čemu se tačno radi..

Daj da vidimo da nešto nije rootkitovano (skriveno) na toj mašini. Ako i to ne da rezultat, moraću da se konsultujem sa ostatkom ekipe i bobby-jem a to će biti tek posle 6-7 PM.

btw. I nemoj da se izvinjavaš, nema potrebe.. Wink
-------------------

Uradi sledeće:
Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.

Iskopiraj nam ovde sadrzaj ta dva fajla koja smo malopre snimili.

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Evo sadrzaja prvog fajla:

GMER 1.0.12.12244 - gmer.net
Rootkit scan 2007-05-07 15:06:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateProcess
SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateProcessEx
SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateSection
SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwCreateThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \WINDOWS\System32\drivers\fsndis5.sys ZwWriteVirtualMemory

Code \WINDOWS\System32\drivers\fsndis5.sys IoCreateDevice

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntkrnlpa.exe!IoCreateDevice 80574702 5 Bytes JMP F7524FD0 \WINDOWS\System32\drivers\fsndis5.sys
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BA2A9 7 Bytes JMP F78E8CFE xkwagrvl.sys
? xkwagrvl.sys The system cannot find the file specified.
PAGENPNP NDIS.SYS!NdisRegisterProtocol F722B17D 5 Bytes JMP F7524C49 \WINDOWS\System32\drivers\fsndis5.sys
PAGENPNP NDIS.SYS!NdisOpenAdapter F722B397 5 Bytes JMP F7524EB4 \WINDOWS\System32\drivers\fsndis5.sys
PAGENPNP NDIS.SYS!NdisCloseAdapter F723561E 5 Bytes JMP F7524EE4 \WINDOWS\System32\drivers\fsndis5.sys
PAGENPNP NDIS.SYS!NdisDeregisterProtocol F72357FD 5 Bytes JMP F7524CB0 \WINDOWS\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisReturnPackets F7238800 5 Bytes JMP F752913A \WINDOWS\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisRequest F723896B 5 Bytes JMP F7527578 \WINDOWS\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisSend F723B977 5 Bytes JMP F75293FE \WINDOWS\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisSendPackets F723B994 5 Bytes JMP F75294D0 \WINDOWS\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisTransferData F723B9AF 5 Bytes JMP F752925C \WINDOWS\System32\drivers\fsndis5.sys
? C:\WINDOWS\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[3692] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F72579E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F72579E8] fsdfw.sys

---- EOF - GMER 1.0.12 ----



Evo i drugog fajla:

GMER 1.0.12.12244 - gmer.net
Autostart scan 2007-05-07 15:09:40
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@UIHostvistaui.exe = vistaui.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\poibqqbc@DLLName = dmhadmh.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
BackWeb Plug-in - 7681197 /*F-Secure Automatic Update*/@ = C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
F-Secure Gatekeeper Handler Starter /*FSGKHS*/@ = "C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"
fsbwsys /*fsbwsys*/@ = "C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe"
FSMA /*F-Secure Management Agent*/@ = "C:\Program Files\F-Secure\Common\FSMA32.EXE"
InCDsrv /*InCD Helper*/@ = C:\Program Files\Ahead\InCD\InCDsrv.exe
InterBaseGuardian /*InterBase Guardian*/@ = C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe -s /*file not found*/
MSSQLSERVER /*MSSQLSERVER*/@ = C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
RichVideo /*Cyberlink RichVideo Service(CRVS)*/@ = "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" ??????????????????????????????????????????????????????
r_server /*Remote Administrator Service*/@ = "C:\WINDOWS\system32\r_server.exe" /service
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SiSPowerRundll32.exe SiSPower.dll,ModeAgent = Rundll32.exe SiSPower.dll,ModeAgent
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@InCDC:\Program Files\Ahead\InCD\InCD.exe = C:\Program Files\Ahead\InCD\InCD.exe
@F-Secure Manager"C:\Program Files\F-Secure\Common\FSM32.EXE" /splash = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
@F-Secure TNB"C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW = "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
@LClockC:\Program Files\LClock\LClock.exe = C:\Program Files\LClock\LClock.exe
@Vista SidebarC:\Program Files\Vista Sidebar\sidebar.exe = C:\Program Files\Vista Sidebar\sidebar.exe
@VisualTooltipC:\Program Files\VisualTooltip\VisualToolTip.exe = C:\Program Files\VisualTooltip\VisualToolTip.exe
@Blaero Start OrbC:\Program Files\Blaero Start Orb\Blaero Start Orb.exe = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
@StylerC:\Program Files\Styler\Styler.exe = C:\Program Files\Styler\Styler.exe
@RemoteControl"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
@LanguageShortcut"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" = "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
@MsnMsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" = "C:\Program Files\Messenger\msmsgs.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ >>>
SharedTaskScheduler@{2BDEC973-B5AC-4e5b-8AB3-5A0500880DA2} =
ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{950FF917-7A57-46BC-8017-59D9BF474000} /*Shell Extension for CDRW*/C:\Program Files\Ahead\InCD\incdshx.dll = C:\Program Files\Ahead\InCD\incdshx.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Program Files\7-Zip\7-zip.dll = C:\Program Files\7-Zip\7-zip.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{23814B80-52A2-11d0-BC1A-004095606CB9} = C:\Program Files\F-Secure\Common\fpshx.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{23814B80-52A2-11d0-BC1A-004095606CB9} = C:\Program Files\F-Secure\Common\fpshx.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{5488E24F-B8E4-43B7-8726-F314FF7FEE98}c:\windows\system32\dmhadmh.dll /*file not found*/ = c:\windows\system32\dmhadmh.dll /*file not found*/
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\Programi\SCREEN~1\Bubbles\bubbles.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.windowsxlive.net = windowsxlive.net
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = google.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = nikbanka.cg.rs

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4F5325BC-2881-4CE2-9419-BF5F4C41D508} /*Local Area Connection*/ >>>
@IPAddress172.16.1.107 = 172.16.1.107
@NameServer172.16.1.5,172.16.1.15 = 172.16.1.5,172.16.1.15
@DefaultGateway172.16.1.1 = 172.16.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL
000000000002@PackedCatalogItem = C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014@PackedCatalogItem = C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL

C:\Documents and Settings\vlado\Start Menu\Programs\Startup = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Adobe Reader Synchronizer.lnk = Adobe Reader Synchronizer.lnk
F-Secure Automatic Update.lnk = F-Secure Automatic Update.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Service Manager.lnk = Service Manager.lnk

---- EOF - GMER 1.0.12 ----

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Dosta sumnjivog i nepoznatog imaš ovde.. Pokušaj da pronađeš ove fajlove na disku i opet nam uploaduješ.

C:\WINDOWS\system32\drivers\xkwagrvl.sys
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\vistaui.exe

Takođe preko Windows Search-a ("Files and Folders" unos) propusti ove upite da vidiš da li će naći nešto.
Ako nađeš, takođe - upload.
poibqqbc
dmhadmh


U svakom slučaju moraću da se konsultujem sa ostalima iz tima u vezi ovog. Svrati na forum oko 7-8 da rešimo to..
Pozz

offline
  • vl 
  • Novi MyCity građanin
  • Pridružio: 05 Maj 2007
  • Poruke: 18

Ovaj prvi sam bio nasao preko search-a ali kada sam krenuo da ga iskopiram nije mi dao. Kada sam ga posle ponovo potrazio nisam ga vise nasao ni sa drugom ekstenzijom. Ova druga dva sam nasao. Poslednja dva nisam

Dopuna: 07 Maj 2007 16:43

Malo cu biti odsutan pa cu vratiti tamo oko 7-8. Dako se rijesi ovo

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pozz vl, ja cu da preuzmem odavde, posto DeM14n ima nekih obaveza veceras.

Skini sledeci program:
https://www.mycity.rs/must-login.png

Startuj i klikni na dugme Scan na prvom tabu.
Kada zavrsi skeniranje iskopiraj mi ovde sadzaj liste koju bude napravio.
Klikni i na dugme ZIP, sto ce sve skrivene fajlove da spakuje u Catchme.zip koji ce da se nalazi na Desktopu.
Posalji na taj ZIP preko upload linka koji ti je DeM14n vec dao u ranijim postovima.

Ko je trenutno na forumu
 

Ukupno su 984 korisnika na forumu :: 49 registrovanih, 12 sakrivenih i 923 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: alzir86, Arsenije, black venom, Boris Bosiljčić, Bubimir, cemix, darkangel, dragonserbia, Drug pukovnik, Gagi193, Gall, Georgius, Griffon vulture, hurmiza, ink, Ivica1102, Jovan Nenad, krlebgd77, loon123, manda87, Marko Marković, marsovac 2, maskirovka, mean_machine, Milos ZA, miodrag, mnn2, moldway, panda1, Panter, Parker, riva, RobinHood12, Rocker, S2M, Sr.Stat., suton, theNedjeljko, Toni, Trpe Grozni, Van, Vatrogasaccc, Vlada78, Voja1978, wizzardone, zdrebac, zillbg, Zmaj001, Zoca