Imam dve stetocine

sistem je podignut pre par dana,danas sam se prikacio na net,instalirao avast,skenirao,pronasao je neke stvari koje sam obrisao,posle toga sam opet ukljucio da skenira i kad je presao da skenira D paticiju avast je izbacio ova dva prozora








instalirao sam Spybot,on nista nije nasao
Malwarebytes' Anti-Malware takodje nista nije nasao

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:02 PM, on 1/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TechniSat DVB\bin\Server4PC.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Girder\Girder.exe
C:\Program Files\FreePack\PSU\PSU.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Girder3.lnk = C:\Program Files\Girder\Girder.exe
O4 - Startup: PowerInstall Softcam Updater.lnk = C:\Program Files\FreePack\PSU\PSU.EXE
O4 - Global Startup: Server4PC.lnk = C:\Program Files\TechniSat DVB\bin\Server4PC.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...t/wuweb_site.cab?1231160644343
O17 - HKLM\System\CCS\Services\Tcpip\..\{F10FBAA7-E735-452E-BFC0-417D43276FEF}: NameServer = 93.93.93.2,194.106.162.3
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2903 bytes

ComboFix 09-01-05.02 - Administrator 2009-01-05 22:42:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.603 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-05 20:32 . 2009-01-05 20:33 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-05 20:32 . 2009-01-05 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-05 20:32 . 2009-01-05 20:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-05 20:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 20:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-05 19:03 . 2009-01-05 19:03 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-01-05 19:03 . 2009-01-05 19:03 <DIR> d-------- c:\program files\ACD Systems
2009-01-05 19:03 . 2009-01-05 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-01-05 19:03 . 2009-01-05 19:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ACD Systems
2009-01-05 18:34 . 2009-01-05 18:34 <DIR> d-------- C:\directx
2009-01-05 17:23 . 2009-01-05 17:23 <DIR> d-------- c:\program files\Alwil Software
2009-01-05 17:23 . 2003-03-18 21:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-05 14:03 . 2009-01-05 14:03 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-05 14:00 . 2009-01-05 18:36 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 14:00 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-01-05 13:45 . 2009-01-05 13:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-05 13:45 . 2009-01-05 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 13:32 . 2009-01-05 13:32 0 --a------ c:\windows\nsreg.dat
2009-01-03 22:31 . 2009-01-03 22:31 <DIR> d-------- c:\program files\EA SPORTS
2008-12-31 20:03 . 2008-12-31 20:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ArcSoft
2008-12-31 19:02 . 2008-12-31 19:02 <DIR> d-------- c:\program files\K-Lite Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 12:55 --------- d-----w c:\program files\FreePack
2008-12-31 17:54 --------- d-----w c:\program files\Girder
2008-12-31 17:47 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 17:46 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-31 17:44 --------- d-----w c:\program files\Common Files\ArcSoft
2008-12-31 17:44 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2008-12-31 17:43 --------- d-----w c:\program files\Foxit Software
2008-12-31 17:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Foxit
2008-12-31 17:41 --------- d-----w c:\program files\DVBViewerTE
2008-12-31 17:39 --------- d-----w c:\program files\TechniSat DVB
2008-12-31 17:22 --------- d-----w c:\program files\ATI Technologies
2008-12-31 17:18 --------- d-----w c:\program files\Realtek
2008-12-31 17:12 --------- d-----w c:\program files\Intel
2008-12-31 17:05 558,142 ----a-w c:\windows\java\Packages\F5N1JF9F.ZIP
2008-12-31 17:05 155,995 ----a-w c:\windows\java\Packages\NLBRJ53Z.ZIP
2008-12-31 17:05 --------- d-----w c:\program files\microsoft frontpage
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-07 18:08 795,648 ----a-w c:\windows\system32\xvidcore.dll
2008-12-07 18:08 130,048 ----a-w c:\windows\system32\xvidvfw.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll
2008-10-16 13:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2002-08-29 03:41 159,179 --sha-r c:\windows\system32\hldbjxc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-12-17 2107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Girder3.lnk - c:\program files\Girder\Girder.exe [2008-12-31 1830912]
PowerInstall Softcam Updater.lnk - c:\program files\FreePack\PSU\PSU.EXE [2008-10-07 57003]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Server4PC.lnk - c:\program files\TechniSat DVB\bin\Server4PC.exe [2008-12-31 430080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [2008-12-31 10624]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-05 111184]
R3 SKYNET;B2C2 Broadband Receiver PCI Adapter;c:\windows\system32\drivers\SkyNET.sys [2008-12-31 451816]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 dsxsamkbn;Config Helper;c:\windows\system32\svchost.exe -k netsvcs [2001-08-23 12800]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dsxsamkbn
.
.
------- Supplementary Scan -------
.
TCP: {F10FBAA7-E735-452E-BFC0-417D43276FEF} = 93.93.93.2,194.106.162.3

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1q8sfr1s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.elitesecurity.org/f101-PC-DVB-kartice
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 22:42:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dsxsamkbn]
"ServiceDll"="c:\windows\System32\hldbjxc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1764)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1820)
c:\windows\System32\dssenh.dll
.
Completion time: 2009-01-05 22:43:12
ComboFix-quarantined-files.txt 2009-01-05 21:43:05

Pre-Run: 44,417,175,552 bytes free
Post-Run: 44,412,096,512 bytes free

116

Ti u sistemu odnosno na C nemas nista, logovi su cisti, to sto je nasao na D to su verovatno neki krekovi od igrica ili programa i to je avast ocistio.
Drugo, pod hitno da instaliras sp3 ili sp2 jer svaki tvoj izlazak na net je opasan sa sp1, to nema smisla da se cisti uopste., Znaci skini sp3 i instaliraj jer kazes da je sistem sveze instaliran, znaci instalacija ce da prodje bez greske.

Jos nesto, deinstaliraj Combofix
Start> run> combofix /u ok

pa avasta nista nije nasao na D particiji nego na C,kao sto sam rekao kad je presao da skenira D posle nekog vremena mi je izbacio ta dva prozora...
sto se tice service pack-a,kad sam instalirao now windows obicno mi je izbacivao poruku za automatic update ali se to ovaj put nije desilo pa sam otvorio ovu temu http://www.elitesecurity.org/t349975-xp-service-pack-update gde mi je calexx rekao da mozda imam nekog uljeza pa sam tek tad poceo da skeniram po kompu,posto na ovom racunaru imam problem da kad skinem negde ceo SP2 i instaliram ga obicno mi je racunar prijavljivao brdo nekakvih gresaka,a kad je sve to radio preko automatic update-a uvek je sve prolazilo kako treba,malo me buni to sto kad probam da odem na neki microsoft sajt obicno mi izbaci nesto tipa Address Not Found can't find the server ili nesto slicno

Ok nismo se razumeli, a ja nisam zagledao slike, u svakom slucaju logovi su cisti.

Edit:
cekaj samo malo, odakle ova IP na tvom kompu, da li ti je poznata

93.93.93.2
Address: P.O. Box 10096
address: OOO "CCT"
address: Svobody Ul., 91, korp. 2,
address: Moscow, Russia, 123481

hvala

Ova gore IP adresa nikako ne bi smela da se nalazi na tvom racunaru, posto vidim da ti je provajder Beotel.net
Trebali bi da je uklonimo posto je verovatno to problem sto ne mozes na MS sajt

Pokreni HJT oznaci ovu liniju i klikni na Fix

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10FBAA7-E735-452E-BFC0-417D43276FEF}: NameServer = 93.93.93.2,194.106.162.3

meni je provajder optikom.
a te adrese su dns serveri od optikom-a.
da ih uklonim?

izbrisao sam i morao sad da vratim posto mi ne radi net kad to uklonim,izgleda da nesto drugo blokira microsoft sajt

ne kazem da su maliciozni..ali...sto nebi proverio

nadji ove fajlove

c:\windows\nsreg.dat
c:\windows\system32\hldbjxc.dll

uploaduj ih na Virustotal na skeniranje
http://www.virustotal.com/

pre toga prikazi skrivene fajlove

My Computer/ Tools /Folder Options / View tab.
stikliraj Display the contents of system folders.
klikni na Show hidden files and folders.
skini kvacicu sa Hide file extensions for known file types.
skini kvacicu sa Hide protected operating system files.
Apply / OK

---

194.106.162.3 je Beotelov DNS

---

pronasao sam te fajlove...





ali nema sanse da otvorim taj link sto si ostavio,uvek izbacuje poruku da nije pronasao adresu,isto kao za microsoft sajtove...
poceo je opet da mi izbacuje avast upozorenja,kao na prvoj slici sto sam postavio,samo sto ovaj put izbacuje dve slike sa istim virusom ali u jednom pise da je virus a na drugom pise da je malware,primer.



skenirao sam 5 puta od sinoc sa Malwarebytes' Anti-Malware-om i jedanput nadje 2 komada pa ih kao obrise,restartuje se komp ali posle nekog vremena avast opet izbaci prozor,ja opet skeniram ali Malwarebytes' ne pronadje nista,posle nekog vremana opet skeniram sa Malwarebytes pa onda nadje 2 komada i tako sve u krug....
primetio sam da na velikom broju sajtova imam restrikcije i ne mogu da im pristupim,kao sto je ovaj sto je magna postavio i na sve microsoft sajtove,verovatno zbog toga ja ne mogu da update windows...
nije mi jasno kako taj virus tako uspesno bezi svim programima,jel moguce da nekako pobegne na D pa da se vrati na? pitam ovo ako ne budem uspeo da ga obrisem da li ce biti problem podizati sistem(nadam se da do dizanja sistema nece doci)

Imas opciju u avasu kad kliknes desni klik na interfejs da mu zakazes skeniranje pre podizanja sistema. Probaj tako pa restaruj i vidi da li ce da ih obrise, posto ih on vec vidi na racunaru ali ne moze da ih obrise iz normal moda.

Uradi jos ovo
Klikni na start pa run i iskopiraj ovo pa lupi enter

C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS

zakaci na forum komplet tekst iz hosts fajla.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

posto nisam siguran jel ovo neki virus..ili sta vec
napravi kopije ovih fajlova (za svaki slucaj)

ovo su im lokacije

c:\windows\nsreg.dat
c:\windows\system32\hldbjxc.dll

spakuj te kopije u zip / rar pa sacuvaj negde na desktopu

a originale obrisi iz safe moda pa javi stanje
hosts je ok

---

c:\windows\system32\hldbjxc.dll ne mogu da prekopiram u .rar arhivu



sad mi je izbacio i ovo

A da možda promeniš Avast? Vidiš da on nije sposoban da ukloni te stvari koje ti nađe, neki drugi će sigurno moći.

Skini combofix i trebalo bi da ga sredi.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Probaj skinuti sa sysinternals-ove stranice (http://technet.microsoft.com/e...a3-4ed8-9dd6-40c84cb9e2f5.aspx)
Autoruns pa pogledaj da li ima sta sumnjivo prilikom startanja Windows-a.
Skini regmon i filemon pa pogledaj ima li sta sumnjivo.

Instaliraj firewall ako vec nisi.Kako vidim ova IP adresa je iz Rusije (Moskva) 93.95.160.87

nisam vise mogao da izdrzim i podigao sam sistem...
kad se podizanje zavrsilo i kad mi je izbacio ovaj prozor



znao sam da su gamad jos tu,skinem i instaliram Ad-Aware,odradim update,skeniram i bummm



normalo odem na remove i program mi kaze da moram da restartujem da bi mogao da izbrise neki od ova tri virusa...

kad sam restartovao komp ukljucio sam pa iskljucio system restore,ponovo skenirao,ovaj put je nasao samo treceg sa liste,izbrisao sam ga,restartovao,opet skenirao i ovaj put nije nasao nista...
imam neki utisak da ce da me iznenadi opet za nekih pola sata...posto vidim da je net usporen i da mi treba po nekoliko puta da osvezim stranicu da bi je otvorio

nov sistem kazes...hm
sta ti kazem..postavi svez HJT log
pre pokretanja HjT promeni mu naziv u ES2.exe
moramo da lociramo problem..tj. da se krene od nekle

bilo bi pozeljno da odradis i update




_{[Ovu poruku je menjao magna86 dana 07.01.2009. u 08:58 GMT+1]}

---