blokiranje pristupa netu

blokiranje pristupa netu

offline
  • bobm 
  • Novi MyCity građanin
  • Pridružio: 09 Feb 2009
  • Poruke: 14

Napisano: 02 Sep 2009 19:50

pozdrav dobri ljudi.

problem je u tome sto mi u jednom momentu samo prestane raditi net, tj konektovan sam i kad gledam konekciju vidim da podaci prolaze (i skida i salje nesto) ali ne mogu otvoriti ni jednu stranicu na netu. pre neki dan se isto dogodilo i drugu (otvori mozilu ode na google uradi neko pretrazivanje, pokaze mu rezultate ali ne moze da otvori nista dalje) ali njegov avg nije uspevao da nadje nista.

Pre otvaranje teme odradio sam skeniranje nod32 i on je pronasao Win32/TrojanDownloader.Bredolab.AH na sledecim mestima:
C:\Documents and Settings\Marko\Local Settings\Temp\~TM127.tmp - Win32/TrojanDownloader.Bredolab.AH trojan - deleted
C:\Documents and Settings\Marko\Local Settings\Temp\~TM12F.tmp - Win32/TrojanDownloader.Bredolab.AH trojan - deleted
C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\OYFC893V\load[1].exe - Win32/TrojanDownloader.Bredolab.AH trojan - deleted
C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\QT3P26QE\load[1].exe - Win32/TrojanDownloader.Bredolab.AH trojan - deleted
C:\System Volume Information\_restore{B87C2BF6-ED0C-4C3E-80E9-1B2E873B92CB}\RP330\A0187795.exe - Win32/TrojanDownloader.Bredolab.AH trojan - deleted
C:\WINDOWS\pss\rncsys32.exeStartup - Win32/TrojanDownloader.Bredolab.AH trojan - deleted

i kao sto se vidi uspeo da ih izbrise.

posle restarta net radi ali zeleo sam ovo da odradim u slucaju da se simptomi ponovo pojave, posto nisam siguran da li je problem bio do njega

DDS (Ver_09-07-30.01) - NTFSx86
Run by Marko at 19:41:53,00 on 02.09.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1406 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Marko\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.rs/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {89BEC66A-15EA-45E0-A479-AFD7E61616B0} = 77.105.0.19 77.105.0.18
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marko\applic~1\mozilla\firefox\profiles\3rqignbl.default\
FF - plugin: c:\documents and settings\marko\application data\mozilla\firefox\profiles\3rqignbl.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\marko\application data\mozilla\firefox\profiles\3rqignbl.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-4-12 15424]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\marko\desktop\hw32_237\HWiNFO32.sys [2009-2-11 16872]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-4-12 552064]
R3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [2002-12-31 55808]
R3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;c:\windows\system32\drivers\tiau5co.sys [2008-11-5 57093]
S1 glaide32;glaide32;\??\c:\windows\system32\drivers\glaide32.sys --> c:\windows\system32\drivers\glaide32.sys [?]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [2002-12-31 55808]
S3 DualCoreCenter;DualCoreCenter;c:\program files\msi\dualcorecenter\NTGLM7X.sys [2008-4-12 28160]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [2008-11-28 10704]
S3 RushTopDevice2;RushTopDevice2;c:\program files\msi\dualcorecenter\RushTop.sys [2008-4-12 51200]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TIAu5Bt;Actiontec Home DSL Modem Boot Device Service;c:\windows\system32\drivers\tiau5bt.sys [2008-11-5 11775]

=============== Created Last 30 ================


==================== Find3M ====================

2009-03-18 20:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009031820090319\index.dat

============= FINISH: 19:42:00,29 ===============

mycity.rs/must-login.png

gmer log kacim za par minuta, ispisah ovo pa da ne rizikujem da nestane Smile

hvala unapred

Dopuna: 02 Sep 2009 23:19

sad videh da ne mogu da editujem. brisite ovo posle ako hocete, cisto da se javim da nisam odustao nego ovo gmer skeniranje traje godinama. ko mi je kriv kad imam 320gb na win particiji...

Dopuna: 03 Sep 2009 15:25

evo i gmer logova konacno, trajalo je i trajalo...
mycity.rs/must-login.png

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Pozdrav.


Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:


Bleeping Computer
Klikni desnim tasterom na link i odaberi opciju Save Target As... (Save Link As..., Save Linked Content As... ili sličnu);
Kada se otvori dijalog za izbor lokacije na kojoj treba sačuvati file, odaberi Desktop i klikni Save.




Kada preuzimanje programa bude završeno:
deaktiviraj zaštitni softver (uputstvo);
zatvori pokrenute programe;
dvoklikom pokreni program ComboFix.

U toku rada, ComboFix će:proveriti postoji li novija verzija programa:
klikni Yes ako bude ponuđeno preuzimanje iste.
prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
klikni Yes kako bi proces bio nastavljen.
ako Recovery Console nije instalirana, ponuditi instalaciju:
obavezno prihvati klikom na Yes i isprati postupak.
postaviti/dati određeni broj upita/obaveštenja:
prihvati klikom na Yes ili OK.
po potrebi, restartovati Windows (više puta);
na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.


Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.


Napomena:Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.

offline
  • bobm 
  • Novi MyCity građanin
  • Pridružio: 09 Feb 2009
  • Poruke: 14

ComboFix 09-09-03.02 - Marko 03.09.2009 23:33.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1604 [GMT 2:00]
Running from: c:\documents and settings\Marko\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marko\Application Data\wiaserva.log
C:\restore
c:\windows\UA000079.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_glaide32


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 21:42 . 2008-12-03 17:32 -------- d-----w- c:\documents and settings\Marko\Application Data\skypePM
2009-09-03 21:42 . 2008-12-03 17:29 -------- d-----w- c:\documents and settings\Marko\Application Data\Skype
2009-09-03 21:26 . 2008-04-15 03:19 -------- d-----w- c:\documents and settings\Marko\Application Data\Azureus
2009-09-03 13:14 . 2008-09-10 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-02 21:00 . 2008-04-15 03:16 -------- d-----w- c:\program files\Azureus
2009-09-02 16:54 . 2008-04-12 17:02 -------- d-----w- c:\program files\Free Download Manager
2009-09-01 12:32 . 2008-11-10 14:45 2311472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-23 20:07 . 2009-06-23 20:07 26 ----a-w- c:\windows\mtagree07011993t.dat
2008-04-12 17:07 . 2008-04-12 17:07 0 --sh--w- c:\windows\S3EBE3C18.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-12 949376]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marko^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Marko\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Marko^Start Menu^Programs^Startup^rncsys32.exe]
path=c:\documents and settings\Marko\Start Menu\Programs\Startup\rncsys32.exe
backup=c:\windows\pss\rncsys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [4/12/2008 6:56 PM 15424]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Marko\Desktop\hw32_237\HWiNFO32.sys [2/11/2009 12:25 AM 16872]
R3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [12/31/2002 2:00 PM 55808]
R3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;c:\windows\system32\drivers\tiau5co.sys [11/5/2008 11:46 PM 57093]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [12/31/2002 2:00 PM 55808]
S3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [4/12/2008 6:28 PM 28160]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [11/28/2008 9:26 PM 10704]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [4/12/2008 6:28 PM 51200]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TIAu5Bt;Actiontec Home DSL Modem Boot Device Service;c:\windows\system32\drivers\tiau5bt.sys [11/5/2008 11:46 PM 11775]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 07:59]

2009-09-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-12 13:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {89BEC66A-15EA-45E0-A479-AFD7E61616B0} = 77.105.0.18 77.105.0.19
FF - ProfilePath - c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\
FF - plugin: c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-03 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1060284298-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d4,fd,8c,98,99,1f,29,8c,c3,fa,b1,c2,c0,e8,09,ff,55,49,09,7a,9a,2a,ce,
27,34,29,9b,82,3f,b7,07,e8,c4,d3,75,7d,22,0b,d2,5b,3f,10,0f,6b,a8,ae,21,ab,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-73586283-1060284298-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,b6,ba,da,87,36,d9,35,28,d7,bd,e0,c9,8f,31,e1,43,fd,3a,1b,9f,
26,99,90,0b,d6,6d,5a,49,de,0b,a3,97,31,70,5e,ee,56,61,85,16,26,d6,9a,8c,fb,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1192)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(340)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ESET\nod32krn.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-09-03 23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 21:46

Pre-Run: 46.252.847.104 bytes free
Post-Run: 46.188.019.712 bytes free

177

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Otvoriti Notepad i iskopirati sledeci tekst:


File::
c:\windows\pss\rncsys32.exeStartup

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Marko^Start Menu^Programs^Startup^rncsys32.exe]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • bobm 
  • Novi MyCity građanin
  • Pridružio: 09 Feb 2009
  • Poruke: 14

ComboFix 09-09-03.02 - Marko 04.09.2009 14:00.2.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1331 [GMT 2:00]
Running from: c:\documents and settings\Marko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marko\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\pss\rncsys32.exeStartup"
.

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 11:54 . 2008-12-03 17:29 -------- d-----w- c:\documents and settings\Marko\Application Data\Skype
2009-09-04 11:05 . 2008-04-15 03:19 -------- d-----w- c:\documents and settings\Marko\Application Data\Azureus
2009-09-04 06:02 . 2008-12-03 17:32 -------- d-----w- c:\documents and settings\Marko\Application Data\skypePM
2009-09-03 13:14 . 2008-09-10 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-02 21:00 . 2008-04-15 03:16 -------- d-----w- c:\program files\Azureus
2009-09-02 16:54 . 2008-04-12 17:02 -------- d-----w- c:\program files\Free Download Manager
2009-09-01 12:32 . 2008-11-10 14:45 2311472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-23 20:07 . 2009-06-23 20:07 26 ----a-w- c:\windows\mtagree07011993t.dat
2008-04-12 17:07 . 2008-04-12 17:07 0 --sh--w- c:\windows\S3EBE3C18.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_21.43.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-12-31 12:00 . 2009-09-03 21:46 78776 c:\windows\system32\perfc009.dat
+ 2008-04-12 17:08 . 2009-09-04 11:05 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-12 17:08 . 2008-10-21 19:22 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2002-12-31 12:00 . 2009-09-03 21:46 449494 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-12 949376]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Marko^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Marko\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [4/12/2008 6:56 PM 15424]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\documents and settings\Marko\Desktop\hw32_237\HWiNFO32.sys [2/11/2009 12:25 AM 16872]
R3 AtmElan;ATM Emulated LAN;c:\windows\system32\drivers\atmlane.sys [12/31/2002 2:00 PM 55808]
R3 TIAU5CO;Actiontec Home DSL Modem(WAN) Service;c:\windows\system32\drivers\tiau5co.sys [11/5/2008 11:46 PM 57093]
S3 AtmLane;ATM LAN Emulation;c:\windows\system32\drivers\atmlane.sys [12/31/2002 2:00 PM 55808]
S3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [4/12/2008 6:28 PM 28160]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurnsDriver.sys [11/28/2008 9:26 PM 10704]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [4/12/2008 6:28 PM 51200]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 TIAu5Bt;Actiontec Home DSL Modem Boot Device Service;c:\windows\system32\drivers\tiau5bt.sys [11/5/2008 11:46 PM 11775]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 07:59]

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-12 13:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {89BEC66A-15EA-45E0-A479-AFD7E61616B0} = 77.105.0.19 77.105.0.18
FF - ProfilePath - c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\
FF - plugin: c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Marko\Application Data\Mozilla\Firefox\Profiles\3rqignbl.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-09-04 14:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1060284298-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d4,fd,8c,98,99,1f,29,8c,c3,fa,b1,c2,c0,e8,09,ff,55,49,09,7a,9a,2a,ce,
27,34,29,9b,82,3f,b7,07,e8,c4,d3,75,7d,22,0b,d2,5b,3f,10,0f,6b,a8,ae,21,ab,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-73586283-1060284298-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,b6,ba,da,87,36,d9,35,28,d7,bd,e0,c9,8f,31,e1,43,fd,3a,1b,9f,
26,99,90,0b,d6,6d,5a,49,de,0b,a3,97,31,70,5e,ee,56,61,85,16,26,d6,9a,8c,fb,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1192)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(2648-)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-04 14:09
ComboFix-quarantined-files.txt 2009-09-04 12:09
ComboFix2.txt 2009-09-03 21:47

Pre-Run: 46.486.515.712 bytes free
Post-Run: 46.472.601.600 bytes free

159

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Kakvo je sada stanje?

offline
  • bobm 
  • Novi MyCity građanin
  • Pridružio: 09 Feb 2009
  • Poruke: 14

funkcionise ok.

radio je od kako je nod brisao, al vidim da je ostao jos negde i da smo ga brisali, znaci dobro je sto sam proveravao.

hvala puno.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Isprati još ovo uputstvo...


Potrebno je deinstalirati ComboFix:
klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).


Sačekaj da se proces deinstalacije završi.

offline
  • bobm 
  • Novi MyCity građanin
  • Pridružio: 09 Feb 2009
  • Poruke: 14

hvala.....

Ko je trenutno na forumu
 

Ukupno su 1219 korisnika na forumu :: 42 registrovanih, 5 sakrivenih i 1172 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, A.R.Chafee.Jr., AK - 230, AMCXXL, Andrija357, Asparagus, babaroga, Boris90, BORUTUS, Bubimir, DonRumataEstorski, Duh sa sekirom, FOX, GenZee, Georgius, goxin, GveX, havoc995, ILGromovnik, jaeger, krkalon, Kruger, Krusarac, Krvava Devetka, kybonacci, ladro, Lieutenant, ljuba, lord sir giga, Lubica, manda87, mercedesamg, samsung, Sančo, sombrero, theNedjeljko, tubular, vasa.93, VJ, Vlada78, voja64, vukovi