Opet Virus

MonteCarlo · 04.10.2007. u 17:33

Trazio sam neki crak za igricu i uletelo je nesto ko ludo,zakocilo sve NOD ga registrovao bez mogucnosti brisanja.Posle toga nije bilo sanse da otvorim bilo koju internet stranicu,vracao sam 2 puta na sistem restore bez uspeha,neznam ni sada kako sam uspeo da otvorim forum.Druge probleme za sada ne primecujem,stavicu scan pa molim dr.Boru i druge da pogledaju.Hvala

Logfile of HijackThis v1.99.1
Scan saved at 17:33:24, on 4.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
D:\download\Krstarica\Za dr.Boru.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

dr_Bora · 04.10.2007. u 17:59

Ne vidim ovde bilo šta problematično.
Pogledaj u NOD-u, pod Logs - Threat log šta je tačno bilo prijavljeno (naziv detekcije, u kom file-u).

MonteCarlo · 04.10.2007. u 18:20

Evo ovo kaze:

Time Module Object Name Threat Action User Information
3.10.2007 23:49:44 AMON file C:\WINDOWS\system32\vtr.dll Win32/TrojanDownloader.Agent.NPQ trojan quarantined - deleted Event occurred on a newly created file. The file was moved to quarantine. You may close this window.

Time Module Object Name Threat Action User Information
3.10.2007 23:49:42 AMON file C:\WINDOWS\system32\winavxx.exe Win32/TrojanDownloader.Agent.NRJ trojan quarantined - deleted Event occurred on a new file created by the application: C:\DOCUME~1\1\LOCALS~1\Tempmbroit.exe. The file was moved to quarantine. You may close this window.

dr_Bora · 04.10.2007. u 18:51

Pa, po ovome, NOD je odradio posao.

No, odradićemo neke provere. Za početak, edituj prethodni post i ukloni ta dva linka.

Skini http://www.gmer.net/gmer.zip i raspakuj ga u neki folder.
Isključi Av i sve ostale pokrenute programe.

Pokreni gmer.exe.
Na Rootkit tabu, klikni na Scan... Kada bude gotovo, klikni na Save... i snimi log file.
Zatim pređi na Autostart tab ( klikneš na >>>, pa će se prikazati ) i klikni na Scan.
Kada bude gotovo klikni na Copy i onda u Notepad-u nalepi sve to ( samo desni klik pa Paste ) i snimi i taj file.
Ukoliko je prvi log veći od 10 KB, zipuj ga i priloži uz poruku.
Drugi log iskopiraj ovde.

MonteCarlo · 04.10.2007. u 19:32

Izvini nisam zipovao i postavio ovde jer sam deinstalirao WinZIP zato sto mi je neka trial verzija pa me non stop ometa.Postavio sam u RAR na:http://rapidshare.com/files/60256426/lista.rar.html nadam se da nije problem.
Inace poceo je vec da brlja.Poljavjuje se neki screenserver koji sve zakoci i zacrni ekran,pise da se zove Wolves.Nikada tako nesto nisam imao ni instalirao.jedva uspevam da ga sklonim sa ekrana.Trenutno sam ga samo iskljucio dok ne kazes sta da radim sa njim.

MonteCarlo · 04.10.2007. u 19:57

Izvinjavam se screenserver ipak se nije sam pojavio,sad mi je zena rekla da je htela da ubaci klincu neku sa vukovima kome je istekao free pereiod.Znaci to nema veze.

dr_Bora · 04.10.2007. u 20:14

Hajde mi negde uploaduj ova dva file-a:

c:\ windows\ system32\ drivers\ rapnet.sys
c:\windows\wolves.scr ( da proverim i ovoga za svaki slučaj ).

Takođe, skini ComboFix:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Pokreni ga i sačekaj da završi - otvoriće log file u Notepad-u koji treba da iskopiraš ovde.

MonteCarlo · 04.10.2007. u 20:37

dr_Bora:
Hajde mi negde uploaduj ova dva file-a:

c:\ windows\ system32\ drivers\ rapnet.sys
c:\windows\wolves.scr ( da proverim i ovoga za svaki slučaj ).

Takođe, skini ComboFix:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Pokreni ga i sačekaj da završi - otvoriće log file u Notepad-u koji treba da iskopiraš ovde.

Evo trazeni fajlovi:http://rapidshare.com/files/60270976/Krstarica.rar.html

dr_Bora · 04.10.2007. u 20:50

Uploadovao si .pf file, a ne .scr.
Znači, nalazi se u c:\windows\wolves.scr.

ComboFix.log?

Btw, jesi li imao nekad instaliran BlackIce?

MonteCarlo · 04.10.2007. u 20:57

Evo ComboFix.log

ComboFix 07-10-04.6 - 1 2007-10-04 20:44:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.10 [GMT 2:00]
Running from: D:\download\Krstarica\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\00816108.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\00873CD9.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\0087A855.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\0089AE27.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\008C144A.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\008D035D.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\008D9F9D.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\008C144A.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\008D035D.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\101x135\008D9F9D.jpg
C:\Program Files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\drivers\CI3XmasSetup.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml

.
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-04 20:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 23:49 8,364 --a------ C:\WINDOWS\system32\sulimo.dat
2007-10-03 21:38 <DIR> d-------- C:\Program Files\Alien Shooter - Vengeance(2)
2007-10-01 14:46 <DIR> d-------- C:\Program Files\Super Spongebob Collapse
2007-09-28 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-09-28 23:08 <DIR> d-------- C:\Documents and Settings\1\Application Data\Zylom
2007-09-28 23:08 <DIR> d-------- C:\Documents and Settings\1\Application Data\Zylom
2007-09-28 23:07 <DIR> d-------- C:\Program Files\Zylom Games
2007-09-28 00:14 <DIR> d-------- C:\cleanup
2007-09-27 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-09-27 01:44 <DIR> d--h----- C:\Documents and Settings\1\InstallAnywhere
2007-09-27 01:44 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-09-27 01:44 <DIR> d-------- C:\Program Files\NKProds
2007-09-26 21:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-26 20:00 58,640 --a------ C:\WINDOWS\system32\fwsvpn.dll
2007-09-21 02:44 <DIR> d-------- C:\Program Files\Pinball
2007-09-14 15:28 <DIR> d-------- C:\Documents and Settings\1\Contacts
2007-09-11 22:59 <DIR> d-------- C:\Program Files\priyatna.org
2007-09-11 22:01 <DIR> d-------- C:\Program Files\ICanPressKeys
2007-09-11 19:51 180,224 --ahs---- C:\WINDOWS\system32\vcutg.dll
2007-09-06 20:32 <DIR> d-------- C:\Program Files\Shiny
2007-09-05 00:08 466,944 --a------ C:\WINDOWS\Wolves.scr
2007-09-05 00:08 4,581,939 --a------ C:\WINDOWS\Wolves.dat
2007-09-05 00:06 15,360 --a------ C:\sysmuqf.exe
2007-09-04 23:55 5,658,438 --a------ C:\WINDOWS\Pigs and Piglets.dat
2007-09-04 23:55 466,944 --a------ C:\WINDOWS\Pigs and Piglets.scr
2007-09-04 23:55 28,672 --a------ C:\WINDOWS\system32\ssconfig.exe
2007-09-04 23:55 180,224 --a------ C:\WINDOWS\UninstallWSST.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 20:41 --------- d-------- C:\Documents and Settings\1\Application Data\Wildfire
2007-10-01 20:41 --------- d-------- C:\Documents and Settings\1\Application Data\Wildfire
2007-09-28 01:51 --------- d-------- C:\Documents and Settings\1\Application Data\uTorrent
2007-09-28 01:51 --------- d-------- C:\Documents and Settings\1\Application Data\uTorrent
2007-09-27 01:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-27 01:44 --------- d-------- C:\Program Files\Save
2007-09-27 01:44 --------- d-------- C:\Program Files\MegauploadToolbar
2007-09-27 01:42 --------- d-------- C:\Program Files\MSN Messenger
2007-09-23 16:53 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-09-23 16:52 --------- d-------- C:\Program Files\Wesnoth
2007-09-23 16:52 --------- d-------- C:\Program Files\Tumble Bugs
2007-09-23 16:52 --------- d-------- C:\Program Files\MotoGP2
2007-09-23 16:52 --------- d-------- C:\Program Files\Call of Duty
2007-09-09 19:16 --------- d-------- C:\Program Files\Disney Interactive
2007-09-09 03:40 --------- d-------- C:\Documents and Settings\1\Application Data\MegauploadToolbar
2007-09-09 03:40 --------- d-------- C:\Documents and Settings\1\Application Data\MegauploadToolbar
2007-09-03 13:25 --------- d-------- C:\Program Files\Frozen-Bubble
2007-08-26 01:23 --------- d-------- C:\Program Files\3DO
2007-08-25 16:14 24134 --a------ C:\svcipa.exe
2007-08-16 19:47 --------- d-------- C:\Program Files\ChickenInvadersROTYXmas
2007-08-10 17:34 --------- d-------- C:\Documents and Settings\1\Application Data\U3
2007-08-10 17:34 --------- d-------- C:\Documents and Settings\1\Application Data\U3
2007-08-08 20:37 --------- d-------- C:\Program Files\VideoCAM Eye
2007-08-08 20:37 --------- d-------- C:\Program Files\Common Files\VCAMEye
2007-07-30 20:59 15360 --a------ C:\WINDOWS\system32\taskman.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-02-28 21:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-09-17 17:39]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-12 18:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-14 00:25]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48]
"RAMfreer"="C:\Program Files\RAMfreer\RAMfreer.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-14 00:26]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 20:49:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-04 20:51:23
C:\ComboFix-quarantined-files.txt ... 2007-10-04 20:50
.
--- E O F ---

MonteCarlo · 04.10.2007. u 21:02

dr_Bora:
Uploadovao si .pf file, a ne .scr.
Znači, nalazi se u c:\windows\wolves.scr.

ComboFix.log?

Btw, jesi li imao nekad instaliran BlackIce?

c:\windows\wolves nepostoji tj nemogu da nadjem nigde ima samo C:\WINDOWS\Prefetch\WOLVES.SCR-351DAB2D.pf koji sam vec dao.

Sta bese to BlackIce? Cini mi se da ima neka sitna igrica sa tom nazivom.
Inace sada posle skeniranja ovim ComboFix kompijuter radi veoma sporo.

dr_Bora · 04.10.2007. u 21:31

U Windows Exploreru, Tools - Folder options: na View tabu:
obeleži Show hidden files and folders
dečekiraj Hide protected operating system files.

Uploaduj sledeće fileove:

C:\WINDOWS\system32\taskman.exe
C:\WINDOWS\system32\vcutg.dll
C:\WINDOWS\system32\fwsvpn.dll
C:\WINDOWS\system32\ssconfig.exe

Obrši sledeće:

C:\sysmuqf.exe
C:\svcipa.exe

Otvori NOD, i dečekiraj File System monitor Enabled i Internet Monitor Enabled.
Preuzmi SmitfraudFix.

Restartuj kompjuter u Safe Mode (pritiskuj F8 pri paljenju kompjutera i izaberi Safe Mode iz menija)
Dvoklikom pokreni SmitfraudFix.exe
Izaberi opciju #2 - Clean kucajući 2 i Enter
Sačekaj da se čišćenje i Disk Cleanup završe
Biće ti postavljeno pitanje: "Registry cleaning - Do you want to clean the registry ?" odgovori "Yes" kucajući Y i Enter
Program će takođe proveriti da li je wininet.dll inficiran. Ukoliko jeste, bićeš upitan(a) oko zamene wininet.dll. Odgovori "Yes" na pitanje "Replace infected file ?" kucajući Y i Enter

Možda će biti potreban restart da bi se završio proces čišćenja; ukoliko se kompjuter automatski ne restartuje, ti to učini.
Iskopiraj ovde sadržaj file-a C:\rapport.txt.

MonteCarlo · 04.10.2007. u 22:52

Trazeni fajlovi:http://rapidshare.com/files/60298632/Trazeni_fajlovi.rar.html

Oni drugi obrisani

NOD zavrsen

Idemo dalje

MonteCarlo · 04.10.2007. u 23:30

SmitFraudFix v2.237

Scan done at 23:19:11,12, cet 04.10.2007
Run from D:\download\Krstarica\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\lfd.dat Deleted
C:\WINDOWS\system32\oiso.bin Deleted
C:\WINDOWS\system32\pcf.pdf Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\sulimo.dat Please, Reboot and Run SmitfraudFix option 2 once again.

»»»»»»»»»»»»»»»»»»»»»»»» End

dr_Bora · 04.10.2007. u 23:48

Idi opet u Safe Mode i opet pokreni SmitFraudFix (sve isto kao i pre).
Kada bude gotovo, opet iskopiraj rapport.txt.

MonteCarlo · 05.10.2007. u 00:32

Evo

SmitFraudFix v2.237

Scan done at 0:21:26,23, pet 05.10.2007
Run from D:\download\Krstarica\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{452334E6-62FF-4FE7-9683-FE7B32206097}: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.2

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

dr_Bora · 05.10.2007. u 08:50

Preuzmi VundoFix.

Pokreni VundoFix.exe ga i klikni na taster Scan For Vundo.
Nakon završenog skeniranja, ukoliko malware bude pronađen, klikni na Remove Vundo.
Isprati postupak do kraja potvrdno odgovarajući na sva pitanja. Kompjuter će se restartovati.

Ukoliko se u listi detektovanih file/ove ne bude nalazio file vcutg.dll, klikni desnim tasterom miša u (beli) prozor programa VundoFix i izaberi opciju Add more files?, a zatim u prozoru koji se otvori, u prvi box iskopiraj sledeće:

C:\WINDOWS\system32\vcutg.dll

Nakon toga klikni na Add File(s), Close Window, pa Remove Vundo.

Nakon toga postavi ovde sadržaj file-a C:\vundofix.txt kao i novi HijackThis log.

Preuzmi Dr.Web CureIt ( ~7 MB ).

uđi u Safe Mode,
dvoklikom pokreni cureit.exe nakon čega će se pojaviti uvodni prozor, onda pritisni dugme Start
opet će se pojaviti još jedan prozor, izaberi OK,
sačekaj nekoliko minuta da Dr.Web izvrši uvodno skeniranje memorije,
klikom miša obeleži sve particije/diskove za skeniranje, obeležene su kada se na njima nalazi crvena loptica,
u gornjem levom uglu programa idi na Options->Change settings F9 i uradi kao što je objašnjeno na slici -> ovde,
na desnoj strani programa pritisni Start i Dr.Web će započeti skeniranje.

Sve što Dr.Web pronađe, neka obriše.
U C:\Documents and Settings\''ime pod kojim si ulogovan''\DoctorWeb se nalazi file CureIt.log. Priloži ga uz iduću poruku.

Kako sada PC radi?

MonteCarlo · 05.10.2007. u 21:05

VundoFix V6.5.9

Checking Java version...

Scan started at 19:20:32 5.10.2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vcutg.dll
C:\WINDOWS\system32\vcutg.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 21:04:32, on 5.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\download\Krstarica\Za dr.Boru.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [RAMfreer] C:\Program Files\RAMfreer\RAMfreer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

MonteCarlo · 05.10.2007. u 21:48

Preuzmi Dr.Web CureIt ( ~7 MB ).
uđi u Safe Mode,
dvoklikom pokreni cureit.exe nakon čega će se pojaviti uvodni prozor, onda pritisni dugme Start
opet će se pojaviti još jedan prozor, izaberi OK,
sačekaj nekoliko minuta da Dr.Web izvrši uvodno skeniranje memorije,

Dosao sam dovde.Onda je pisalo da nije nadjen ni jedan virus.Kad obelezim particije i kliknem na Options->Change settings F9 ne pojavljuju se opcije u prozoru kao sto je na slici koji si mi prilozio.Vec se pojavljuje samo jedna cekirana opcija i po sredini tog prozora dva prozora za pisanje.
Nema ovog fajla C:\Documents and Settings\''ime pod kojim si ulogovan''\DoctorWeb se nalazi file CureIt.log

klikom miša obeleži sve particije/diskove za skeniranje, obeležene su kada se na njima nalazi crvena loptica,
u gornjem levom uglu programa idi na Options->Change settings F9 i uradi kao što je objašnjeno na slici -> ovde,
na desnoj strani programa pritisni Start i Dr.Web će započeti skeniranje.
Sve što Dr.Web pronađe, neka obriše.
U C:\Documents and Settings\''ime pod kojim si ulogovan''\DoctorWeb se nalazi file CureIt.log. Priloži ga uz iduću poruku.

Sta sada?

dr_Bora · 06.10.2007. u 00:34

Ahhh... Menjali su interfejs... Izvinjavam se.

Znači, kada ideš na change settings, samo dečekiraj Heuristic analysis.
U glavnom prozoru programa možeš izabrati Complete Scan i kliknuti na onu zelenu strelicu / trougao da bi pokrenuo skeniranje.
Log će biti u:
C:\Documents and Settings\''ime pod kojim si ulogovan''\DoctorWeb

ili, ako je verovati logovima:
C:\Documents and Settings\1\Application Data\DoctorWeb

Btw, kako se pc ponaša?

Opet Virus

Zainteresovan član

Aktivan član

Zainteresovan član

Aktivan član

Zainteresovan član

Zainteresovan član

Aktivan član

Zainteresovan član

Aktivan član

Zainteresovan član

Zainteresovan član

Aktivan član

Zainteresovan član

Zainteresovan član

Aktivan član

Zainteresovan član

Aktivan član

Zainteresovan član

Zainteresovan član

Aktivan član