virtumonde-molim proveru

virtumonde-molim proveru

offline
  • Pridružio: 29 Mar 2006
  • Poruke: 34
  • Gde živiš: Leskovac

koristim WIN XP SP2, takodje i avast koji mi prijavljuje sledecu infekciju:
c:/windows/system32
Win32:Virtumonde-JA
molim za pomoc! hvala

Logfile of HijackThis v1.99.1
Scan saved at 20:21:07, on 28.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\ana i andjela\Desktop\provera\provera.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\tuvUNecA.dll
O2 - BHO: (no name) - {BCA0AEFD-9DC3-4134-8546-E1307BEE5C1F} - C:\WINDOWS\system32\geBqPIbY.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Updates] svehost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: Preuzmi sa FlashGet-om - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: Preuzmi sve sa FlashGet-om - C:\PROGRA~1\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: tuvUNecA - C:\WINDOWS\SYSTEM32\tuvUNecA.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

Vidim da si i na Krstarici trazio pomoc u vezi ovog slucaja?
http://forum.krstarica.com/showthread.php?p=6477151

Ti si mislio na dva razlicita foruma da ti ljudi daju iste alate. Posto sam i ja hteo da ti predlozim Vundo Fix?

offline
  • Pridružio: 29 Mar 2006
  • Poruke: 34
  • Gde živiš: Leskovac

da, tamo sam nešto odradio ali mi i dalje prijavljuje greške!
u svakom slučaju hvala

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

Pomocicemo, samo pitam. Odluci se, ili mi ili Krstarica. Ne mozemo paralelno.

Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 29 Mar 2006
  • Poruke: 34
  • Gde živiš: Leskovac

ComboFix 08-04-27.3 - ana i andjela 2008-04-28 20:44:12.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.76 [GMT 2:00]
Running from: C:\Documents and Settings\ana i andjela\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\AntiSpywareMaster
C:\WINDOWS\Config\csrss.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\geBqPIbY.dll
C:\WINDOWS\system32\geBuUlLD.dll
C:\WINDOWS\system32\hgGvuTKd.dll
C:\WINDOWS\system32\jgxkdyvl.ini
C:\WINDOWS\system32\lRtBLkkj.ini
C:\WINDOWS\system32\lRtBLkkj.ini2
C:\WINDOWS\system32\lvydkxgj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mexicprq.dll
C:\WINDOWS\system32\mfuemnxm.ini
C:\WINDOWS\system32\mlJDwVLE.dll
C:\WINDOWS\system32\obchywxx.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\tuvUNecA.dll
C:\WINDOWS\system32\txjuvcmx.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvUoPijj.dll
C:\WINDOWS\system32\xmcvujxt.ini
C:\WINDOWS\system32\xnbundwp.dll
C:\WINDOWS\system32\YbIPqBeg.ini
C:\WINDOWS\system32\YbIPqBeg.ini2

----- BITS: Possible infected sites -----

hxxp://77.91.228.186
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 06:31 . 2008-04-28 19:26 109,756 --a------ C:\WINDOWS\BM6b7ef851.xml
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_29952.LOG
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_54316.LOG
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\ana i andjela\NTUSER.DAT_TU_48360.LOG
2008-04-22 18:31 . 2008-04-22 18:34 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-20 11:29 . 2008-04-20 11:29 <DIR> d-------- C:\Program Files\EnglDict
2008-04-20 11:29 . 1997-01-15 23:00 192,272 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-04-20 11:29 . 1998-06-18 04:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.dll
2008-04-16 19:26 . 2008-04-16 19:26 <DIR> d-------- C:\Program Files\My Scene(TM)
2008-04-15 18:55 . 2008-04-15 18:55 98,304 --------- C:\WINDOWS\system32\CmdLineExt.dll
2008-04-14 19:02 . 2008-04-14 19:02 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 19:01 . 2008-04-14 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-08 15:13 . 2008-04-08 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vivendi Universal Games
2008-04-06 14:52 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Cosmo Bots Full Version
2008-04-06 14:49 . 2008-04-06 14:49 <DIR> d-------- C:\Program Files\PopCap Games
2008-04-06 14:22 . 2008-04-06 14:22 1,964 --a------ C:\WINDOWS\ST5UNST.005
2008-04-06 14:21 . 2008-04-06 14:21 1,964 --a------ C:\WINDOWS\ST5UNST.004
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Program Files\DNA
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Documents and Settings\ana i andjela\Application Data\DNA
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Documents and Settings\ana i andjela\Application Data\BitTorrent
2008-03-31 20:03 . 2008-03-31 20:03 1,964 --a------ C:\WINDOWS\ST5UNST.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 12:10 43,520 ------w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-03 19:17 94,208 ----a-w C:\WINDOWS\Media\csrss.exe
2008-03-27 18:59 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
.

------- Sigcheck -------

2004-08-03 21:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-03 21:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-03 21:09 287040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-23 00:05 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Updates"="svehost.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUNecA]
tuvUNecA.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageFox.lnk]
backup=C:\WINDOWS\pss\ImageFox.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-r------- 2003-03-20 00:21 1855488 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckDialer]
C:\Program Files\Hispasec\CheckDialer\ChkDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
--a------ 2007-02-06 01:32 20480 C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-12-09 15:38 1937408 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2005-11-15 20:31 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-13 01:56]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 22:56]
S3 mpr_freader;MPR FileReader Driver;C:\Program Files\Multi Password Recovery\mpr_freader.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 15:28:24 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-28 20:50:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHDISP.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-04-28 20:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 18:51:46

Pre-Run: 3,696,508,928 bytes free
Post-Run: 3,625,009,152 bytes free

175

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

Otvoriti Notepad i iskopirati sledeci tekst:


File::
C:\WINDOWS\BM6b7ef851.xml
C:\WINDOWS\Media\csrss.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Updates"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUNecA]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 29 Mar 2006
  • Poruke: 34
  • Gde živiš: Leskovac

za vreme skeniranja sa Combofix avast mi je izbacio poruku da je našao neki virus koji sam obrisao i combofih je nastavio dalje sa skeniranjem.
evo loga

ComboFix 08-04-27.3 - ana i andjela 2008-04-29 6:34:34.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT 2:00]
Running from: C:\Documents and Settings\ana i andjela\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ana i andjela\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM6b7ef851.xml
C:\WINDOWS\Media\csrss.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6b7ef851.xml
C:\WINDOWS\iexplore.exe
C:\WINDOWS\Media\csrss.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 21:25 . 2008-04-28 21:25 <DIR> d-------- C:\logs
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_29952.LOG
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_54316.LOG
2008-04-23 21:07 . 2008-04-23 21:07 0 --ah----- C:\Documents and Settings\ana i andjela\NTUSER.DAT_TU_48360.LOG
2008-04-22 18:31 . 2008-04-22 18:34 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-20 11:29 . 2008-04-20 11:29 <DIR> d-------- C:\Program Files\EnglDict
2008-04-20 11:29 . 1997-01-15 23:00 192,272 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-04-20 11:29 . 1998-06-18 04:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.dll
2008-04-16 19:26 . 2008-04-16 19:26 <DIR> d-------- C:\Program Files\My Scene(TM)
2008-04-15 18:55 . 2008-04-15 18:55 98,304 --------- C:\WINDOWS\system32\CmdLineExt.dll
2008-04-14 19:02 . 2008-04-14 19:02 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 19:01 . 2008-04-14 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-08 15:13 . 2008-04-08 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Vivendi Universal Games
2008-04-06 14:52 . 2008-04-06 14:52 <DIR> d-------- C:\Program Files\Cosmo Bots Full Version
2008-04-06 14:49 . 2008-04-06 14:49 <DIR> d-------- C:\Program Files\PopCap Games
2008-04-06 14:22 . 2008-04-06 14:22 1,964 --a------ C:\WINDOWS\ST5UNST.005
2008-04-06 14:21 . 2008-04-06 14:21 1,964 --a------ C:\WINDOWS\ST5UNST.004
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Program Files\DNA
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Program Files\BitTorrent
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Documents and Settings\ana i andjela\Application Data\DNA
2008-04-03 21:09 . 2008-04-03 21:09 <DIR> d-------- C:\Documents and Settings\ana i andjela\Application Data\BitTorrent
2008-03-31 20:03 . 2008-03-31 20:03 1,964 --a------ C:\WINDOWS\ST5UNST.003

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 12:10 43,520 ------w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-27 18:59 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-15 01:46 1,206,366 ----a-w C:\WINDOWS\wrar371.exe
.

------- Sigcheck -------

2004-08-03 21:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-03 21:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-28_20.51.14.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:49:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 04:25:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 04:25:36 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_490.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-03 21:09 287040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"LXDCCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-23 00:05 102400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageFox.lnk]
backup=C:\WINDOWS\pss\ImageFox.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
-r------- 2003-03-20 00:21 1855488 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckDialer]
C:\Program Files\Hispasec\CheckDialer\ChkDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdcamon]
--a------ 2007-02-06 01:32 20480 C:\Program Files\Lexmark 1300 Series\lxdcamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2004-12-09 15:38 1937408 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-15 03:23 75520 C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2005-11-15 20:31 33792 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=

R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-13 01:56]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 22:56]
S3 mpr_freader;MPR FileReader Driver;C:\Program Files\Multi Password Recovery\mpr_freader.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 15:28:24 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-04-29 06:36:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-29 6:37:28
ComboFix-quarantined-files.txt 2008-04-29 04:37:26
ComboFix2.txt 2008-04-28 18:51:58

Pre-Run: 3,566,821,376 bytes free
Post-Run: 3,561,750,528 bytes free

144

offline
  • helen1  Male
  • Anti Malware Fighter
    Rank 2
  • Master učitelj
  • Pridružio: 27 Avg 2005
  • Poruke: 8444
  • Gde živiš: Novi Beograd

offline
  • Pridružio: 29 Mar 2006
  • Poruke: 34
  • Gde živiš: Leskovac

odradio sam i ovo.
sada dobro radi!
hvala puno na pomoći
pozz

Ko je trenutno na forumu
 

Ukupno su 664 korisnika na forumu :: 22 registrovanih, 5 sakrivenih i 637 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, 4channer, _Pegaz_, aleksmajstor, amonsrb, Areal84, Brankoni, Cranium, djboj, g0xy, hyla, KUZMAR, mercedesamg, Momiroquai79, nenad81, oddsock, suton, vlvl, zexoni, zlaya011, zoranis, |_MeD_|