MyCity » Ambulanta -> Arhiva Ambulante » opet problemi...

opet problemi...

Napisano na dan: 5.5.2008
1

opet problemi...
Sledeća strana Pagination

Idi na vrh

Poslao: 05 Maj 2008 09:00
Idi na vrh
offline
  • smz 
  • Građanin
  • Pridružio: 18 Mar 2008
  • Poruke: 57

Nije proslo ni dva meseca i opet problemi. U potrazi za dokumentacijom jednog TouchScreen TFT monitora windows me je upozorio da je detektovao spyware infekciju i to u istom trenutku kada sam kliknuo na link koji me je sa neke HPove stranice trebao odvesti do trazenog monitora otvorila se reklama za neke (film-za-odrasle)-o kasete...i tako dva puta.AD-Aware2007 koliko sam ja shvatio izbrise sve sto je pronasao ali kada restartujem comp opet je sve tamo gde je i bilo dok mi windows stalno nudi da skinem neki remover program, sto ja odbijam. Evo i rezultata koje je odradio Hijack.

Logfile of HijackThis v1.99.1
Scan saved at 08:41:36, on 05.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1198000098\ee\AOLSoftware.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\DATEV\SYSTEM\PSNTSERV.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Administrator\Desktop\New Folder (3)\HijackThis1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1198000098\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - [Link mogu videti samo ulogovani korisnici]
O17 - HKLM\System\CCS\Services\Tcpip\..\{821CF5A8-6EFE-472C-9CF0-977E1825ED79}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCE93D17-A689-4B6F-B3A0-8BB79EAFCBBD}: NameServer = 213.191.92.87 62.109.123.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{821CF5A8-6EFE-472C-9CF0-977E1825ED79}: NameServer = 205.188.146.145
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DATEV Druckservice (DatevPrintService) - DATEV eG - C:\DATEV\SYSTEM\PSNTSERV.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Poslao: 05 Maj 2008 16:33
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...



Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.



Poslao: 06 Maj 2008 14:04
Idi na vrh
offline
  • smz 
  • Građanin
  • Pridružio: 18 Mar 2008
  • Poruke: 57

Evo druze odradio sam...

ComboFix 08-05-01.3 - Administrator 2008-05-06 13:58:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.707 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\pcpriv.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\cmnocfg.xml
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\qviexio3.dat
C:\WINDOWS\system32\spoolvs.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-04-30 15:47 . 2008-04-30 15:47 <DIR> d-------- C:\Program Files\syscmd
2008-04-14 13:02 . 2008-04-14 13:05 453 --a------ C:\WINDOWS\brwmark.ini
2008-04-14 13:02 . 2008-04-14 13:02 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-04-14 13:02 . 2008-04-14 13:02 58 --a------ C:\WINDOWS\brmx2001.ini
2008-04-14 13:02 . 2008-04-14 13:02 52 --a------ C:\WINDOWS\BRPP2KA.INI
2008-04-14 13:02 . 2008-04-14 13:02 40 --a------ C:\WINDOWS\opt_1440.ini
2008-04-14 13:02 . 2008-04-14 13:02 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-04-14 13:01 . 2001-07-19 00:00 217,088 --a------ C:\WINDOWS\system32\BRSPL01A.DLL
2008-04-14 13:01 . 2002-01-15 00:01 94,208 --a------ C:\WINDOWS\system32\BRSPL01A.EXE
2008-04-14 13:01 . 2001-11-01 00:01 81,920 --a------ C:\WINDOWS\system32\BRSPLWMK.DLL
2008-04-14 13:01 . 2001-11-23 00:00 57,344 --a------ C:\WINDOWS\system32\BRSVC01A.EXE
2008-04-14 13:01 . 2000-12-18 01:02 53,248 --a------ C:\WINDOWS\system32\BRSPL2KB.DLL
2008-04-14 13:01 . 2001-12-13 00:01 45,056 --a------ C:\WINDOWS\system32\BRSS01A.EXE
2008-04-14 12:43 . 2008-04-14 12:43 <DIR> d-------- C:\hl1400er
2008-04-09 13:04 . 2008-04-09 13:04 630,838 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-04-07 16:48 . 2008-04-07 16:48 17,144 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 17:28 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-04-04 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-03-27 13:28 --------- d-----w C:\Program Files\SmartDraw 2008
2008-03-27 12:31 --------- d-----w C:\Program Files\ibf
2008-03-27 12:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ibf
2008-03-27 12:07 --------- d-----w C:\Program Files\Hutson Systems
2008-03-26 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-03-26 09:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 09:20 --------- d-----w C:\Program Files\Lavasoft
2008-03-26 09:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 09:16 --------- d-----w C:\Program Files\i-Sound Pro
2008-03-19 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 09:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-17 09:06 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-17 09:05 --------- d-----w C:\Program Files\Ahead
2008-03-17 09:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-14 11:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-03-14 11:21 --------- d-----w C:\Program Files\AVG
2008-03-14 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-02-25 07:46 39,993 ----a-w C:\WINDOWS\system32\msratnit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 18:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:21 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-17 09:44 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-06-21 14:42 70952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-18 15:34 98304]
"HostManager"="C:\Program Files\Common Files\AOL\1198000098\ee\AOLSoftware.exe" [2006-09-26 02:52 50736]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 17:16 37376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 12:54 16116224 C:\WINDOWS\RTHDCPL.exe]
"RegistryMechanic"="" []
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
AOL 9.0 Tray-Symbol.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2007-12-18 15:33:27 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1198000098\\ee\\aolsoftware.exe"=
"C:\\DATEV\\PROGRAMM\\Install\\ExecDll\\ExecDllExe.exe"=
"C:\\DATEV\\PROGRAMM\\Install\\Uninstal.exe"=
"C:\\DATEV\\PROGRAMM\\B0000005\\CDBTool.exe"=
"C:\\DATEV\\PROGRAMM\\SRVTOOL\\srvtool.exe"= C:\\DATEV\\PROGRAMM\\SRVTOOL\\srvtool
"C:\\DATEV\\PROGRAMM\\DBMSTool\\dvpcdbcockpit.exe"=
"C:\\DATEV\\PROGRAMM\\DDM\\DMT.exe"=
"C:\\DATEV\\PROGRAMM\\DDM\\DMTUtil.exe"=
"C:\\DATEV\\PROGRAMM\\DService\\LayDBAdm.exe"=
"C:\\DATEV\\PROGRAMM\\NesyMand\\NesyMand.exe"=

R2 DatevPrintService;DATEV Druckservice;C:\DATEV\SYSTEM\PSNTSERV.EXE [2003-11-06 18:00]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 02:05]
R2 MSSQL$DATEV_CL_DE01;MSSQL$DATEV_CL_DE01;C:\Program Files\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe [2003-12-05 18:10]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-10-31 07:50]
R3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2004-11-24 03:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 02:05]
S3 SQLAgent$DATEV_CL_DE01;SQLAgent$DATEV_CL_DE01;C:\Program Files\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlagent.EXE [2002-12-17 18:23]

*Newly Created Service* - ATWPKT2
*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-05-06 14:00:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-06 14:01:42
ComboFix-quarantined-files.txt 2008-05-06 12:01:26
ComboFix2.txt 2008-04-03 10:25:50

Pre-Run: 6,849,462,272 bytes free
Post-Run: 6,881,103,872 bytes free

143

Poslao: 06 Maj 2008 16:21
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\msratnit.dll

DirLook::
C:\Program Files\syscmd
C:\hl1400er



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 07 Maj 2008 09:41
Idi na vrh
offline
  • smz 
  • Građanin
  • Pridružio: 18 Mar 2008
  • Poruke: 57

Uradjeno...

ComboFix 08-05-01.3 - Administrator 2008-05-07 9:38:14.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.669 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\msratnit.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msratnit.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-04-30 15:47 . 2008-04-30 15:47 <DIR> d-------- C:\Program Files\syscmd
2008-04-14 13:02 . 2008-04-14 13:05 453 --a------ C:\WINDOWS\brwmark.ini
2008-04-14 13:02 . 2008-04-14 13:02 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-04-14 13:02 . 2008-04-14 13:02 58 --a------ C:\WINDOWS\brmx2001.ini
2008-04-14 13:02 . 2008-04-14 13:02 52 --a------ C:\WINDOWS\BRPP2KA.INI
2008-04-14 13:02 . 2008-04-14 13:02 40 --a------ C:\WINDOWS\opt_1440.ini
2008-04-14 13:02 . 2008-04-14 13:02 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-04-14 13:01 . 2001-07-19 00:00 217,088 --a------ C:\WINDOWS\system32\BRSPL01A.DLL
2008-04-14 13:01 . 2002-01-15 00:01 94,208 --a------ C:\WINDOWS\system32\BRSPL01A.EXE
2008-04-14 13:01 . 2001-11-01 00:01 81,920 --a------ C:\WINDOWS\system32\BRSPLWMK.DLL
2008-04-14 13:01 . 2001-11-23 00:00 57,344 --a------ C:\WINDOWS\system32\BRSVC01A.EXE
2008-04-14 13:01 . 2000-12-18 01:02 53,248 --a------ C:\WINDOWS\system32\BRSPL2KB.DLL
2008-04-14 13:01 . 2001-12-13 00:01 45,056 --a------ C:\WINDOWS\system32\BRSS01A.EXE
2008-04-14 12:43 . 2008-04-14 12:43 <DIR> d-------- C:\hl1400er
2008-04-09 13:04 . 2008-04-09 13:04 630,838 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-04-07 16:48 . 2008-04-07 16:48 17,144 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 17:28 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-04-04 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-03-27 13:28 --------- d-----w C:\Program Files\SmartDraw 2008
2008-03-27 12:31 --------- d-----w C:\Program Files\ibf
2008-03-27 12:31 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ibf
2008-03-27 12:07 --------- d-----w C:\Program Files\Hutson Systems
2008-03-26 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-03-26 09:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-26 09:20 --------- d-----w C:\Program Files\Lavasoft
2008-03-26 09:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 09:16 --------- d-----w C:\Program Files\i-Sound Pro
2008-03-19 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 09:07 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-17 09:06 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-17 09:05 --------- d-----w C:\Program Files\Ahead
2008-03-17 09:04 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-14 11:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-03-14 11:21 --------- d-----w C:\Program Files\AVG
2008-03-14 11:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\hl1400er ----

2002-01-15 09:01 52240 --a------ C:\hl1400er\pcl\GERMAN\BRSPL01A.EX_
2001-12-13 09:01 20556 --a------ C:\hl1400er\pcl\GERMAN\BRSS01A.EX_
2001-12-13 09:01 16888 --a------ C:\hl1400er\pcl\GERMAN\BRPP2KA.DL_
2001-11-23 09:00 29852 --a------ C:\hl1400er\pcl\GERMAN\BRSVC01A.EX_
2001-11-01 09:01 41194 --a------ C:\hl1400er\pcl\GERMAN\BRSPLWMK.DL_
2001-09-28 01:11 2719 --a------ C:\hl1400er\pcl\GERMAN\OEMHL01A.INF
2001-09-27 09:00 173 --a------ C:\hl1400er\pcl\GERMAN\BRSVC01A.BS_
2001-05-15 00:28 17651 --a------ C:\hl1400er\pcl\GERMAN\OEMHL01A.CAT
2001-04-23 10:22 91178 --a------ C:\hl1400er\pcl\GERMAN\B06HL01A.DL_
2001-04-23 10:22 91178 --a------ C:\hl1400er\pcl\GERMAN\B05HL01A.DL_
2001-04-23 10:22 91171 --a------ C:\hl1400er\pcl\GERMAN\B04HL01A.DL_
2001-04-23 10:22 91162 --a------ C:\hl1400er\pcl\GERMAN\B03HL01A.DL_
2001-04-23 10:22 40111 --a------ C:\hl1400er\pcl\GERMAN\BRLHL01A.DL_
2001-04-23 10:22 264660 --a------ C:\hl1400er\pcl\GERMAN\BRUHL01A.DL_
2001-04-23 10:22 110893 --a------ C:\hl1400er\pcl\GERMAN\BROHL01A.DL_
2001-04-23 10:22 10669 --a------ C:\hl1400er\pcl\GERMAN\BROHL144.PPD
2001-04-23 10:22 10543 --a------ C:\hl1400er\pcl\GERMAN\BROHL147.PPD
2001-04-23 10:22 10522 --a------ C:\hl1400er\pcl\GERMAN\BROHL123.PPD
2001-04-23 10:22 10497 --a------ C:\hl1400er\pcl\GERMAN\BROHL145.PPD
2001-03-30 10:10 13927 --a------ C:\hl1400er\pcl\GERMAN\BRQIKMON.HL_
2001-03-30 10:00 3795 --a------ C:\hl1400er\pcl\GERMAN\BROHL147.IN_
2001-03-30 10:00 3795 --a------ C:\hl1400er\pcl\GERMAN\BROHL145.IN_
2001-03-30 10:00 3739 --a------ C:\hl1400er\pcl\GERMAN\BROHL144.IN_
2001-03-30 10:00 3739 --a------ C:\hl1400er\pcl\GERMAN\BROHL123.IN_
2001-03-28 10:00 57340 --a------ C:\hl1400er\pcl\GERMAN\BROHL01A.HL_
2001-03-22 09:03 66459 --a------ C:\hl1400er\pcl\GERMAN\BRSPL01A.DL_
2000-12-18 10:02 29723 --a------ C:\hl1400er\pcl\GERMAN\BRSPL2KB.DL_
2000-12-12 11:06 39368 --a------ C:\hl1400er\pcl\GERMAN\BRQIKMON.EX_
1999-03-06 10:00 212 --a------ C:\hl1400er\pcl\GERMAN\BRWMARK.IN_

---- Directory of C:\Program Files\syscmd ----

2005-09-03 18:56 68608 --a------ C:\Program Files\syscmd\mscmp32.dll
2005-09-03 18:56 124 --a------ C:\Program Files\syscmd\uninstall.bat
2005-09-03 18:56 1112 --a------ C:\Program Files\syscmd\mscmp.inf


((((((((((((((((((((((((((((( [Link mogu videti samo ulogovani korisnici],29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 11:49:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 07:11:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-24 17:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
+ 2008-05-06 12:32:43 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-05-07 07:13:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_650.dat
+ 2008-05-07 07:11:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_720.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 18:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:21 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-17 09:44 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2007-06-21 14:42 70952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-18 15:34 98304]
"HostManager"="C:\Program Files\Common Files\AOL\1198000098\ee\AOLSoftware.exe" [2006-09-26 02:52 50736]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 17:16 37376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 12:54 16116224 C:\WINDOWS\RTHDCPL.exe]
"RegistryMechanic"="" []
"Device Detector"="DevDetect.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
AOL 9.0 Tray-Symbol.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2007-12-18 15:33:27 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1198000098\\ee\\aolsoftware.exe"=
"C:\\DATEV\\PROGRAMM\\Install\\ExecDll\\ExecDllExe.exe"=
"C:\\DATEV\\PROGRAMM\\Install\\Uninstal.exe"=
"C:\\DATEV\\PROGRAMM\\B0000005\\CDBTool.exe"=
"C:\\DATEV\\PROGRAMM\\SRVTOOL\\srvtool.exe"= C:\\DATEV\\PROGRAMM\\SRVTOOL\\srvtool
"C:\\DATEV\\PROGRAMM\\DBMSTool\\dvpcdbcockpit.exe"=
"C:\\DATEV\\PROGRAMM\\DDM\\DMT.exe"=
"C:\\DATEV\\PROGRAMM\\DDM\\DMTUtil.exe"=
"C:\\DATEV\\PROGRAMM\\DService\\LayDBAdm.exe"=
"C:\\DATEV\\PROGRAMM\\NesyMand\\NesyMand.exe"=

R2 DatevPrintService;DATEV Druckservice;C:\DATEV\SYSTEM\PSNTSERV.EXE [2003-11-06 18:00]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 02:05]
R2 MSSQL$DATEV_CL_DE01;MSSQL$DATEV_CL_DE01;C:\Program Files\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe [2003-12-05 18:10]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl02_xp.sys [2006-10-31 07:50]
R3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2004-11-24 03:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 02:05]
S3 SQLAgent$DATEV_CL_DE01;SQLAgent$DATEV_CL_DE01;C:\Program Files\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlagent.EXE [2002-12-17 18:23]

*Newly Created Service* - ATWPKT2
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-05-07 09:39:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 9:40:07
ComboFix-quarantined-files.txt 2008-05-07 07:39:57
ComboFix2.txt 2008-05-06 12:01:43
ComboFix3.txt 2008-04-03 10:25:50

Pre-Run: 6,845,734,912 bytes free
Post-Run: 6,855,098,368 bytes free

183

Poslao: 07 Maj 2008 16:23
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Zipuj/raruj kompletan folder: C:\Program Files\syscmd

i pošalji ga preko ovog linka: [Link mogu videti samo ulogovani korisnici]



Javi kada si odradio upload i reci mi kakvo je sada stanje.

Poslao: 08 Maj 2008 13:20
Idi na vrh
offline
  • smz 
  • Građanin
  • Pridružio: 18 Mar 2008
  • Poruke: 57

Druze odradjeno sve, poslao sam ti u RARu kako si trazio sada mi se cini da je ok no AD-Aware2007 mi javi za neka 4 objekta koja ne izbrise no probacu ponovo pa u sledecoj poruci cu te obavestiti .

Poslao: 08 Maj 2008 16:50
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Obriši i ovaj folder:

C:\Program Files\syscmd

Poslao: 09 Maj 2008 12:22
Idi na vrh
offline
  • smz 
  • Građanin
  • Pridružio: 18 Mar 2008
  • Poruke: 57

obrisano...izgleda da je sve drugo u redu...mozem mi predloziti sta da instaliram jos osim ovoG AD-Aware 2007 da bi se bolje zastitio jer sam prinudjen da zbog kojekakvih shema i uputstava zavirim svukuda po netu ...naravno da to bude po mogucnosti besplatno...

Poslao: 09 Maj 2008 16:10
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

MyCity » Ambulanta -> Arhiva Ambulante » opet problemi...

Ko je trenutno na forumu
 

Ukupno su 1182 korisnika na forumu :: 74 registrovanih, 6 sakrivenih i 1102 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 15694 - dana 01 Feb 2026 12:23

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 100jan, A.R.Chafee.Jr., ArmFPGA, babcia131, Bbbggg1979, blatruc82, Bobrock1, bokicacar, Bubimir, cifra, cinoeye, Crazzer, darkojovxp, dearg, Dejan_vw, DejvTroter, dekao, Dogma21, doktor097, dragan_mig31, Drugard72, Dzigy, FOX, Gaga_89, goxin, In_hero, istina, janbo, jarovitt, JimmyNapoli, jodzula, Jomini, K-1A, Kajzer Soze, kontrasvijeta, koom0001, kybonacci, ladro, mat, mercedesamg, Mihajlo, milenko crazy north, milutin134, MiroslavD, MK10, mocnijogurt, moldway, narandzasti, nesa1962, Nomica, Novakomp, Paklenica, Pc-21, Pekman, Podljub, Prečanin30, Rebel Frank, Rothmans, ruger357, Sevatar, Sharpshooter, SOVO515, Srki98, strn, Tas011, tomo2, tritonus, troki1971, umaric7, Vanderx, Woya, zeka013, Zrcalo, Žoržo