[bobby] Pomoć u vezi loga - 7322.com problem

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uloguj se preko Facebooka da bi skinuo fajl:

ComboFix 08-05-15.2 - ljiljar 2008-05-16 13:40:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT 2:00]
Running from: C:\Documents and Settings\ljiljar\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ljiljar\Favorites\ÕÒµ½123ÍøÖ·µ¼º½.url
C:\Documents and Settings\ljiljar\Favorites\Á´½Ó

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-12 09:21 . 2008-05-12 09:21 <DIR> d-------- C:\Documents and Settings\ljiljar\DoctorWeb
2008-05-06 09:38 . 2008-05-06 09:38 250 --a------ C:\WINDOWS\gmer.ini
2008-04-16 10:49 . 2008-04-16 10:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-16 10:49 . 2008-04-16 10:49 <DIR> d-------- C:\kav
2008-04-16 10:49 . 2008-04-16 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-16 10:49 . 2008-05-16 13:41 2,490,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-16 10:49 . 2008-05-16 13:41 49,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-16 10:49 . 2008-05-15 15:57 33,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-16 10:49 . 2008-05-15 15:57 6,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 13:57 3,145,728 ---ha-w C:\Documents and Settings\ljiljar\NTUSER.DAT
2008-03-19 08:49 --------- d--h--w C:\Program Files\Zenographics
2008-03-19 08:49 --------- d-----w C:\Program Files\Hewlett-Packard
.

((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 13:25:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 07:43:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 07:38:42 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 18:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
+ 2008-05-06 07:38:42 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-04 22:05 344064]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09 139367]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 14:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-05-30 15:38:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17150:TCP"= 17150:TCP:NortonAV
"17938:TCP"= 17938:TCP:NortonAV
"15839:TCP"= 15839:TCP:NortonAV
"15416:TCP"= 15416:TCP:NortonAV
"16957:TCP"= 16957:TCP:NortonAV
"14103:TCP"= 14103:TCP:NortonAV
"18883:TCP"= 18883:TCP:NortonAV
"18284:TCP"= 18284:TCP:NortonAV
"12677:TCP"= 12677:TCP:NortonAV
"13044:TCP"= 13044:TCP:NortonAV
"16042:TCP"= 16042:TCP:NortonAV
"15202:TCP"= 15202:TCP:NortonAV
"18497:TCP"= 18497:TCP:NortonAV
"12454:TCP"= 12454:TCP:NortonAV
"14164:TCP"= 14164:TCP:NortonAV
"15087:TCP"= 15087:TCP:NortonAV
"15495:TCP"= 15495:TCP:NortonAV
"16515:TCP"= 16515:TCP:NortonAV
"18960:TCP"= 18960:TCP:NortonAV
"13052:TCP"= 13052:TCP:NortonAV
"12118:TCP"= 12118:TCP:NortonAV
"14698:TCP"= 14698:TCP:NortonAV
"16633:TCP"= 16633:TCP:NortonAV


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-05-16 13:41:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-16 13:42:22
ComboFix-quarantined-files.txt 2008-05-16 11:42:20
ComboFix2.txt 2008-05-07 11:47:42
ComboFix3.txt 2008-04-24 07:50:28
ComboFix4.txt 2008-04-22 13:27:30

Pre-Run: 68,512,342,016 bytes free
Post-Run: 68,506,460,160 bytes free

106 --- E O F --- 2007-11-14 14:58:20

[Link mogu videti samo ulogovani korisnici]

[Link mogu videti samo ulogovani korisnici]



Hvala i pozdrav.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Mozes li da mi u jedan ZIP spakujes kompletan sadrzaj sledeceg foldera:
C:\Program Files\MSEB\

Molim te uploaduj to preko sledece forme:
[Link mogu videti samo ulogovani korisnici]

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Završeno.
Pozdrav.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Poslao sam fajlove na analizu, posto ga za sada samo Sunbelt prepoznaje kao malicioznog.
Nadam se da cemo uskoro dobiti odgovor.

Dopuna: 22 Maj 2008 12:13

Niko ne odgovara...

Ajde za probu promeni ime tog foldera (dodaj koje slovo), restartuj komp pa vidi sta se desava, tj. da li jos uvek ima problema.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Probala, ali sve radi po starom.
Izgleda da nema pomoci.

Pozdrav.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ja ne bih jos odustao.
Malo je problem sto ovde pisemo po poruku u tri dana, pa malko sporo ide, a i situacija se za tri dana puno izmeni tako da stari logovi uopste nemaju vise znacaja.

Ukoliko zelis da nastavis, trebaju mi svezi HijackThis i ComboFix logovi.
Combofix treba uvek skinuti novu verziju pre svakog pravljenja loga.