Problem sa pokretanjem programa

1

Problem sa pokretanjem programa

offline
  • Milorad
  • Pridružio: 09 Feb 2004
  • Poruke: 505
  • Gde živiš: U Srbiji

Napisano: 06 Maj 2011 14:03

Pošto nisam u mogućnosti da pokrenem ComboFix ili bilo koji drugi program za dijagnostiku, šaljem izgled dijaloga i prozora koji se otvaraju bez obzira koji program da pokrenem.
Da li je neko imao slično iskustvo i šta mi preporučujete.



Dopuna: 06 Maj 2011 14:19

1. pri pokretanju Worda, Excela, PhotoShopa, bilo kog .exe fajla , iskače dijalog i prozor opisani u osnovnom postu.
2. Problem se pojavio jutros po pokretanju sistema.
3. Antivirus sam pokrenuo preko novoinstaliranog sistema na drugoj particiji (sistemi su Windows XP Profesional)
4. Skeniranje sa NOD32 4.2 ver, ažuriran. Antivirus sam pokretao sa drugog sistema, sveže instaliranog na drugoj particiji.
5. Internet veza je ADSL 4Mb/512 bita
6. Pre ovoga računar je radio stabilno, imao je uvek ažurairan NOD32 i aktivan Zone Alarm, redovno čišćeni Malware-i, Registry baza, Temporary fajlovi i to je to

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Pozdrav chupo17!








Arrow


Sumnjas da imas problema sa malware-om? Ukoliko je odgovor potvrdan, detaljno isprati Uputstvo za otvaranje teme u Ambulanti.



Arrow


ComboFix nije dijagnosticki alat kao ovi iz uputstva. To je jako mocan alat, koji nepravilnim rukovanjem, moze unistiti operativni sistem ili pak sve padatke sa hard diska. Pokrece se iskljucivo uz predlog, nadleznost i detaljno uputstvo helpera koji je expert u toj oblasti i zna sta radi.

Za ubuduce, ne pokreci ComboFix na svoju ruku.







goran9888 (AMF Tim)

offline
  • Milorad
  • Pridružio: 09 Feb 2004
  • Poruke: 505
  • Gde živiš: U Srbiji

1. Pri pokretanju nekih programa, kao što sam naveo u prvom postu otvara se jedan prozor i jedan dijalog, (ako treba da dostavim bolje slike - recite). Znači, ako pokrenem Word direktno preko ikone desiće se problem, ali ako bi pokrenuo Word preko postojećeg fajla onda je funkcionisanje programa normalno.
Ista priča je sa PhotoShopom, Bilo kojim programom iz MS Office paketa... Zanimljivo je da pri pokretanju MozzileFirefox preko Start menija (Default web browser) bez problema otvara pretraživač , ali ako to uradim preko prečice sa Desktopa onda se javlja već pomenuti problem.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Pc at 14:25:26,64 on pet 06.05.2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2037.1165 [GMT 2:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Outpost Firewall Pro *Disabled*
FW: ESET Personal firewall *Enabled*
FW: ZoneAlarm Extreme Security Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PaperCut NG\providers\print\win\pc-print.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Pc\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
D:\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/webhp?hl=sr
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\pc\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: {9DC9770D-D1FC-4352-9A91-9622356CB181} = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\progra~1\micros~1\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\progra~1\micros~1\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\ed3b5n7w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - plugin: c:\documents and settings\pc\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pc\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\pc\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-3-25 128016]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 114984]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-25 317072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-3-25 528128]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-3-24 810120]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
R2 PCPrintProvider;PaperCut Print Provider;c:\program files\papercut ng\providers\print\win\pc-print.exe [2011-1-13 323584]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-4-16 44032]
S2 aautp;Network Support;c:\windows\system32\svchost.exe -k netsvcs [2004-6-10 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-21 136176]
S2 jijrkgk;Task Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-6-10 14336]
S2 PCAppServer;PaperCut Application Server;c:\program files\papercut ng\server\bin\win\pc-server.exe [2011-1-13 135168]
S2 sqztj;Driver Server;c:\windows\system32\svchost.exe -k netsvcs [2004-6-10 14336]
S2 wnwvq;Monitor Time;c:\windows\system32\svchost.exe -k netsvcs [2004-6-10 14336]
S2 zliuoyxra;Shell Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-6-10 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-4-16 1684736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-2-17 30192]
S3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2010-8-27 35568]
S3 TrmbTS;TrmbTS;c:\windows\system32\drivers\TrmbTS.sys [2010-11-10 29184]
S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [2010-11-10 9881]
S4 PCWebPrint;PaperCut Web Print Server;c:\program files\papercut ng\providers\web-print\win\pc-web-print.exe [2011-1-13 282624]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-05-06 12:06:48 291328 ----a-w- C:\gmer.exe
2011-04-18 10:08:48 -------- d-----w- c:\docume~1\pc\applic~1\My Games
2011-04-18 09:56:59 -------- d-----w- c:\docume~1\pc\applic~1\Xfire
2011-04-18 09:56:57 -------- d-s---w- c:\program files\Xfire
2011-04-18 07:25:11 -------- d-----w- c:\program files\Firaxis Games
2011-04-07 12:52:00 -------- d-----w- c:\docume~1\pc\locals~1\applic~1\My Games
2011-04-07 12:36:51 -------- d--h--w- c:\windows\msdownld.tmp
2011-04-07 12:36:39 -------- d-----w- c:\windows\Logs
2011-04-07 07:20:05 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-04-07 06:05:13 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-04-07 06:03:42 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-04-07 06:03:41 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-04-07 06:03:41 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-04-07 06:03:41 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-04-07 06:03:38 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-04-07 06:03:37 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-04-07 05:55:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2011-04-07 05:55:02 -------- d-----w- c:\docume~1\pc\applic~1\DAEMON Tools Pro
2011-04-07 05:51:46 -------- d-----w- c:\program files\DAEMON Tools Pro
2011-04-06 22:36:27 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
.
==================== Find3M ====================
.
2011-02-11 21:23:34 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-02-11 21:23:34 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-02-11 21:23:34 100880 ----a-w- c:\windows\system32\Packet.dll
.
============= FINISH: 14:26:56,59 ===============





2. https://www.mycity.rs/must-login.png
3. https://www.mycity.rs/must-login.png

Ovako za početak, čekam dalje instrukcije.

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Nije dobar pocetak.


Detaljno isprati Uputstvo za koje sam ti ostavio link i postavi GMER izvestaje. Ukoliko ne radi GMER, imas Uputstvo za alternativu (RootRepeal).







goran9888 (AMF Tim)

offline
  • Milorad
  • Pridružio: 09 Feb 2004
  • Poruke: 505
  • Gde živiš: U Srbiji

Ne mogu da pokrenem niti GMER niti RootRepeal, jer se pri pokušaju pokretanja, dešava već pomenuto.

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

U toku resavanja slucaja, zamolio bih te da se pridrzavas sledeceg:
Detaljno citati moja uputstva (ili uputstva kolega koji ce me zamenjivati) i raditi iskljucivo po njima;
Ne traziti istovremeno pomoc na drugom mestu;
Nemoj koristiti druge programe za uklanjanje malware-a, osim onih za koje budes dobio uputstvo;
U toku intervencije ne koristiti USB memorijske uredjaje, dok to ne budem zatrazio;
Ukoliko ne odgovorim u roku od 48h, osvezi temu novim post-om;
Ukoliko se ne javis u roku od 5 dana, zatvoricemo slucaj.

Za vise informacija o pravilima Ambulante MyCity foruma: LINK

-------------------------------------------------------------------------------------




- Deinstaliraj iz Control Panel -> Add or Remove Programs (nikako uz pomoc third part uninstallera) sledece aplikacije:

ZoneAlarm Extreme Security
SUPERAntiSpyware
ESET Smart Security


ESET SS uklanjas jer nije legalan, tj. koristis nelegalan nacin da dodjes do licence. To nikako nije preporucljivo. Bolje je koristiti besplatan antivirus ako vec ne zelis da izdvojis novac za komercijalni proizvod. Znaci ukloni i aplikaciju pod nazivom: TNod User & Password Finder.

Takodje, deinstaliraj i sve ostale aplikacije koje ne koristis (a imas ih, ihaha...).


- Imas ostatke Kaspersky proizvoda na svom racunaru (nije dobro deinstaliran najverovatnije). Uz pomoc Removal tool for Kaspersky Lab products pokusaj da uklonis te ostatke. Uputstvo i sam alat mozes naci na sledecem linku: http://support.kaspersky.com/faq/?qid=208279463


- Restartuj racunar.


Arrow

Preuzmi sUBs-ov ComboFix (ako imas neku drugu verziju ComboFix-a obrisi je) sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.








goran9888 (AMF Tim)

offline
  • Milorad
  • Pridružio: 09 Feb 2004
  • Poruke: 505
  • Gde živiš: U Srbiji

chupo17 ::Napisano: 06 Maj 2011 14:03

Pošto nisam u mogućnosti da pokrenem ComboFix ...



...

Očigledno da ne nalazimo zajednički jezik.
Ne mogu pokrenuti ComboFix (ni u Safe modu)
Ne mogu uću u Add/Remove programs, jer se ponavlja priča sa iskakanjem prozora CommandPrompta prikazanog na slici.

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Start -> Run -> rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl



Ukoliko se startovao Add or Remove Programs, ukloni aplikacije koje sam napisao da uklonis u mojoj prethodnoj poruci.

Ukoliko se ne startuje, onda ...

Skini aplikaciju AppRemover na Desktop:

AppRemover


Pokreni je dvoklikom i idi na Next;
Na sledecem ekranu izaberi prvu opciju (Remove Security Application) i opet idi na Next;
Nakon zavrsenog skeniranja idi na Next i stikliraj sve aplikacije koju su prikazane; opet idi na Next a nakon toga na Reboot Now nakon cega ce sistem da se resetuje;
Ponovo pokreni program izaberi drugu opciju (Clean Up a Failed Uninstall) u programu i stikliraj sve sto program nadje skeniranjem;
Trebalo bi da AppRemover ukloni sav security software sa tvog racunara.


Ukoliko postupak bude uspesan, napisi mi koje si aplikacije uspeo da uklonis uz pomoc AppRemover-a, takodje pokreni Removal Tool for Kaspersky Lab products i pokusaj da nakon resetovanja sistema pokrenes CF.






goran9888 (AMF Tim)

offline
  • Milorad
  • Pridružio: 09 Feb 2004
  • Poruke: 505
  • Gde živiš: U Srbiji

Napisano: 09 Maj 2011 16:33

ZoneAlarm nisam uspeo da skinem, a pokušao sam po preporuci.
ComboFix sam uspeo da pokrenem i log je u nastavku.
ComboFix 11-05-08.04 - Pc 09.05.2011 16:21:59.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2037.1387 [GMT 2:00]
Running from: d:\desktop\ComboFix.exe
FW: Outpost Firewall Pro *Disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: ZoneAlarm Extreme Security Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 14:15 . 2011-05-09 14:15 -------- d-----w- c:\windows\LastGood
2011-05-09 08:53 . 2011-05-09 08:53 -------- d-----w- c:\program files\CCleaner
2011-05-09 08:07 . 2011-05-09 08:10 -------- d-----w- c:\windows\system32\NtmsData
2011-05-09 06:44 . 2011-05-09 06:44 388096 ----a-r- c:\documents and settings\Pc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-06 12:06 . 2009-11-06 11:16 291328 ----a-w- C:\gmer.exe
2011-05-06 10:22 . 2011-05-09 08:48 256 ----a-w- C:\sccfg.sys
2011-05-06 07:16 . 2011-05-06 07:16 -------- d-----r- C:\MSOCache
2011-04-18 10:08 . 2011-05-09 09:42 -------- d-----w- c:\documents and settings\Pc\Application Data\My Games
2011-04-18 09:56 . 2011-04-18 09:57 -------- d-----w- c:\documents and settings\Pc\Application Data\Xfire
2011-04-18 09:56 . 2011-04-18 09:56 -------- d-s---w- c:\program files\Xfire
2011-04-18 07:25 . 2011-04-18 07:25 -------- d-----w- c:\program files\Firaxis Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 22:36 . 2011-04-06 22:36 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-02-11 21:23 . 2011-02-11 21:23 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2011-02-11 21:23 . 2011-02-11 21:23 35088 ----a-w- c:\windows\system32\drivers\npf.sys
2011-02-11 21:23 . 2011-02-11 21:23 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-02-11 21:23 . 2011-02-11 21:23 100880 ----a-w- c:\windows\system32\Packet.dll
2011-04-29 11:11 . 2011-03-23 07:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-02-17 06:50 . 2011-02-17 06:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-17 30192]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-10-27 11000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Firebird\\Firebird_1_5\\bin\\fbserver.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Pc\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5297:TCP"= 5297:TCP:orgdkxn
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"9191:TCP"= 9191:TCP:PaperCut NG HTTP
"9192:TCP"= 9192:TCP:PaperCut NG HTTPS
"9193:TCP"= 9193:TCP:PaperCut NG Binary
"5114:TCP"= 5114:TCP:PaperCut NG Firmware
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/7/2011 12:36 AM 685816]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [8/27/2010 11:33 AM 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [8/27/2010 11:34 AM 493032]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 11:23 PM 35088]
R2 PCPrintProvider;PaperCut Print Provider;c:\program files\PaperCut NG\providers\print\win\pc-print.exe [1/13/2011 1:32 PM 323584]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/16/2010 2:51 PM 44032]
S2 aautp;Network Support;c:\windows\system32\svchost.exe -k netsvcs [6/10/2004 6:15 PM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2010 9:21 AM 136176]
S2 jijrkgk;Task Monitor;c:\windows\system32\svchost.exe -k netsvcs [6/10/2004 6:15 PM 14336]
S2 PCAppServer;PaperCut Application Server;c:\program files\PaperCut NG\server\bin\win\pc-server.exe [1/13/2011 1:32 PM 135168]
S2 sqztj;Driver Server;c:\windows\system32\svchost.exe -k netsvcs [6/10/2004 6:15 PM 14336]
S2 wnwvq;Monitor Time;c:\windows\system32\svchost.exe -k netsvcs [6/10/2004 6:15 PM 14336]
S2 zliuoyxra;Shell Windows;c:\windows\system32\svchost.exe -k netsvcs [6/10/2004 6:15 PM 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/16/2010 2:49 PM 1684736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/17/2011 8:50 AM 30192]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [8/27/2010 11:33 AM 35568]
S3 TrmbTS;TrmbTS;c:\windows\system32\drivers\TrmbTS.sys [11/10/2010 1:19 PM 29184]
S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [11/10/2010 1:19 PM 9881]
S4 PCWebPrint;PaperCut Web Print Server;c:\program files\PaperCut NG\providers\web-print\win\pc-web-print.exe [1/13/2011 1:32 PM 282624]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wnwvq
sqztj
aautp
jijrkgk
zliuoyxra
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-21 07:21]
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-21 07:21]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-261903793-839522115-1003Core.job
- c:\documents and settings\Pc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-08 14:34]
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-261903793-839522115-1003UA.job
- c:\documents and settings\Pc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-08 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=sr
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: {8EBDE815-A126-43FB-80A3-C5F4595953E5} = 192.168.0.1
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 16:27
Windows 5.1.2600 Service Pack 3, v.3264 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aautp]
"ServiceDll"="c:\windows\system32\wrwtw.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jijrkgk]
"ServiceDll"="c:\windows\system32\wrwtw.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sqztj]
"ServiceDll"="c:\windows\system32\wrwtw.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wnwvq]
"ServiceDll"="c:\windows\system32\xlnalpu.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zliuoyxra]
"ServiceDll"="c:\windows\system32\wrwtw.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2372)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dot3dlg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
.
Completion time: 2011-05-09 16:29:06
ComboFix-quarantined-files.txt 2011-05-09 14:29
.
Pre-Run: 132.407.595.008 bytes free
Post-Run: 132.363.661.312 bytes free
.
- - End Of File - - 886AC110BCBC51ACD4931455374FCE0D

Dopuna: 09 Maj 2011 16:53

Nadam se da nećeš prilaganje DDS izveštaja nećeš uzeti kao nepoštovanje protokola, jer sam ti to odavno ostao dužan, ali do sada nisam uspeo da ga pokrenem.


https://www.mycity.rs/must-login.png

https://www.mycity.rs/must-login.png

offline
  • Pridružio: 02 Feb 2008
  • Poruke: 14018
  • Gde živiš: Nish

Vidi ovako ...


- Sta se dogodi kada pokusas da uklonis ZoneAlarm® Extreme Security? Taj paket u sebi sadrzi pored FW-a i Antivirus/Spyware engine, tako da ti nisi instalirao samo FW. Evo, baci pogled sta Extreme Security packet ima u sebi: Link
Znaci, ako imas ZA Extreme Security na racunaru, onda ti klasican AV nije potreban. Procitaj ovaj clanak za vise informacija: informacija.rs

- Napisi mi, koju kombinaciju AV i FW zelis da imas na sistemu, da bih ti ja napisao da li je to ok i da ti dam eventualne smernice/link-ove za download. Predlazem da koristis besplatne security programe.

- Skini i instaliraj sledece: Security Update for Windows XP


Jako je bitno da iskljucis AV pre pustanja ComboFix-a: LINK


Arrow


Otvoriti Notepad i iskopirati sledeci tekst:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "5297:TCP"=-

Driver::
aautp
jijrkgk
sqztj
wnwvq
zliuoyxra

NetSvc::
wnwvq
sqztj
aautp
jijrkgk
zliuoyxra

File::
c:\windows\system32\wrwtw.dll


SecCenter::
{8A20CA2A-9E02-4A64-923B-0A38208EB7FD}


RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
 @Denied: (A 2) (Everyone)
 @="FlashBroker"
 "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
 .
 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
 "Enabled"=dword:00000001
 .
 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
 @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
 .
 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
 @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
 .
 [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
 @Denied: (A 2) (Everyone)
 @="IFlashBroker4"
 .
 [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
 @="{00020424-0000-0000-C000-000000000046}"
 .
 [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
 @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
 "Version"="1.0"


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.






goran9888 (AMF Tim)

Ko je trenutno na forumu
 

Ukupno su 1040 korisnika na forumu :: 53 registrovanih, 9 sakrivenih i 978 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., arsa, Ben Roj, bladesu, brundo65, dankisha, Dimitrise93, Djokislav, Doca, DonRumataEstorski, Dorcolac, dragoljub11987, DragoslavS, Fog of War, Frunze, Georgius, glada, kinez88, kljift, Krusarac, kunktator, kybonacci, ljuba, lord sir giga, LUDI, Luka Blažević, M1los, Marko.anticc, marsovac 2, mercedesamg, milenko crazy north, nebkv, nemkea71, Parker, Romibrat, savaskytec, Shinobi, slonic_tonic, Smajser, Srky Boy, Steeeefan, Stoilkovic, theNedjeljko, tmanda323, uruk, VanHelsing, Vatreni Zmaj, VJ, Vlad000, Volkhov-M, zixmix, zlaya011, Čivi