Blokiran control panel samo za na jednom user-u!

[ chips @ 10.09.2007. 10:23 ] @

Imam WinXP SP1. Na njemu imam dva korisnika. Jedan je administrator, a drugi nije.

Kada se ulogujem na Administratorski user ne mogu da pristupim control panelu, datumu u try i podešavanju desktopa. Pojavljuje se neka poruka da je kao neki servis odjavljen.
Kada se ulogujem na drugog user-a svemu mogu da pristupim i da podešavam.

Ako pokrenem Xp u SAFE modu i ulogujem se kao Administrator sve mogu da podešavam, a ako se ulogujem sa administratorskim Userom onda ne mogu, dobijam istu onu poruku.

Da li neko zna u čemu je problem?

[ Milan Gligorijevic @ 10.09.2007. 10:29 ] @

Još samo da kažeš koju grešku dobiješ.

[ chips @ 10.09.2007. 14:24 ] @

Zaboravio sam da kažem da se ovo desilo nakon čišćenja od virusa, Avast-om i SUPERAntiSpyware-om. Otuda sam i stavio temu u zaštita.

A poruka koju ispiše je:

[ Binary Mind @ 10.09.2007. 16:10 ] @

Probaj da instaliras neke druge antispyware i antitrojan programe i skeniraj sa njima. Takodje koristi HiJackThis i postuj rezultate (log file) ovde.

[ chips @ 10.09.2007. 16:59 ] @

Citat:

_{Logfile of HijackThis v1.99.0

Scan saved at 17:54:04, on 10-9-2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\AGLOCO Viewbar\Viewbar.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\chips.MATORY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [Viewbar] C:\Program Files\AGLOCO Viewbar\Viewbar.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: Cashfiesta.lnk = C:\Program Files\Cashfiesta\FiestaBar\Cashfiesta.exe

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O4 - Global Startup: Vypress Chat StartUp.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003

O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002

O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004

O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000

O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O15 - Trusted Zone: http://toolbar.imageshack.us

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9D2E73A0-E528-46B4-AC71-1171499269AA}: NameServer = 212.200.78.141

O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt

O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodata Limited License Service - Unknown - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe}

Ako može moderator da vrati temu tamo gde treba da bude.

[ Milan Gligorijevic @ 10.09.2007. 20:42 ] @

http://support.microsoft.com/kb/278839

Google: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator"

[ Binary Mind @ 10.09.2007. 23:15 ] @

Koliko si ti instalirao glupavih toolbarova koji su sami po sebi spyware. Onaj Megaupload toolbar je prvi spyware :) A i Agloco nije nista bolji. I pored ovoga sto sam naveo znam od prilike i koji si malvare dobio, ali ga Avast nije mogao skroz izbrisati :)

Izbrisi ovo u HiJackThis!:

O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt

Skini ovo:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Dekompresuj sve fajlove na destop i videces da ce se pojaviti folder SmitfraudFix na desktopu. Onda otvori taj folder pokreni smitfraudfix.cmd. Posle toga izaberi opciju 1 (1 i onda Enter) da bi pocela pretraga. log ce biti kreiran u C:\rapport. Kad to izbaci postuj ga ovde zajedno sa HiJackThis logom.

Posle toga skini ovo:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

I pokreni scan. Ne radi nista na kompu dok skenira. Posle scana ce se restartovati. Postuj i njegov log ovde.

[ chips @ 11.09.2007. 00:00 ] @

@mmwc

Što se tiče gpedit-a nisam našao ništa čudno.

@Binary Mind.

O20 - AppInit_DLLs: C:\WINDOWS\System32\systems.txt ne mogu da skinem!!!

Citat:

SmitFraudFix v2.222

Scan done at 0:54:37,87, uto 11-09-2007
Run from C:\Documents and Settings\chips.MATORY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AGLOCO Viewbar\Viewbar.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\winavxx.exe
c:\2B.tmp
c:\28.tmp
C:\WINDOWS\System32\home.exe.exe
C:\WINDOWS\System32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\systems.txt FOUND !
C:\WINDOWS\system32\vtr???.dll FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\chips.MATORY

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\chips.MATORY\Application Data

C:\Documents and Settings\chips.MATORY\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\CHIPS~1.MAT\STARTM~1\Programs\Startup\system.exe FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\autorun.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHIPS~1.MAT\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\systems.txt"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 212.200.78.141

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9D2E73A0-E528-46B4-AC71-1171499269AA}: NameServer=212.200.78.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9D2E73A0-E528-46B4-AC71-1171499269AA}: NameServer=212.200.78.141

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[ chips @ 11.09.2007. 00:21 ] @

Dok je ComboFix radio Avast se oglasio više puta.
Evo log-a

Citat:

ComboFix 07-09-10.6 - "chips" 2007-09-11 1:04:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1250.1.1033.18.576 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\chips\APPLIC~1\install.dat
C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\install.dat
C:\DOCUME~1\CHIPS~1.MAT\STARTM~1\Programs\Startup\system.exe
C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\home.exe.exe
C:\WINDOWS\system32\spooldr.sys
D:\Autorun.inf

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ICF
-------\LEGACY_RUNTIME
-------\LEGACY_SFSYNC02
-------\ICF
-------\nm
-------\runtime
-------\sfsync02
-------\SysLibrary

((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-11 01:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 00:54 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-11 00:54 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-11 00:54 3,370 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-11 00:54 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-11 00:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-11 00:45 7,680 --a------ C:\WINDOWS\system32\winavxx.exe
2007-09-11 00:45 7,680 --a------ C:\WINDOWS\system32\printer.exe
2007-09-11 00:45 39,424 --a------ C:\WINDOWS\system32\vtr.dll
2007-09-10 23:56 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.MAT\UserData
2007-09-09 23:49 <DIR> d-------- C:\DOCUME~1\IVAN\APPLIC~1\VyPRESS
2007-09-09 23:49 <DIR> d-------- C:\DOCUME~1\IVAN\APPLIC~1\ATI
2007-09-09 22:50 35,072 --a------ C:\WINDOWS\system32\drivers\runtime2.sys
2007-09-09 22:49 4,096 --a------ C:\WINDOWS\system32\ntsd.dll
2007-09-09 22:49 15,360 --a------ C:\WINDOWS\vmmreg32.exe
2007-09-08 20:01 <DIR> d-------- C:\Program Files\URUSoft
2007-09-08 20:01 <DIR> d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\URUSoft
2007-09-03 22:57 <DIR> d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\Apple Computer
2007-09-03 22:56 <DIR> d-------- C:\Program Files\QuickTime
2007-09-03 22:56 <DIR> d-------- C:\Program Files\iTunes
2007-09-03 22:56 <DIR> d-------- C:\Program Files\iPod
2007-09-03 22:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple Computer
2007-09-03 22:55 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-03 22:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Apple
2007-09-03 22:11 <DIR> d-------- C:\Program Files\EphPod
2007-09-03 21:53 <DIR> d-------- C:\Program Files\Commandos II
2007-08-29 17:46 <DIR> d-------- C:\MATERIJALNO2007
2007-08-28 23:02 <DIR> d-------- C:\MATERIJALNO
2007-08-22 17:28 <DIR> d-------- C:\Program Files\Cracklock
2007-08-19 18:55 0 --a------ C:\WINDOWS\system32\dummy.dat
2007-08-19 18:55 <DIR> d-------- C:\Program Files\AGLOCO Viewbar
2007-08-17 18:58 <DIR> d-------- C:\Program Files\Cashfiesta
2007-08-17 18:58 <DIR> d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\Cashfiesta

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-11 00:46 374016 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-09-11 00:46 --------- d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\MailWasherPro
2007-09-10 20:19 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-09-08 19:14 --------- d-------- C:\Program Files\Gabest
2007-09-07 18:40 --------- d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\Canon
2007-09-06 16:03 --------- d-------- C:\Program Files\STARWARS_TheBattleOfEndor_v21
2007-09-06 12:05 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 12:05 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 12:03 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 12:02 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 12:00 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-03 21:53 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 11:30 --------- d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\uTorrent
2007-07-31 20:59 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 20:59 --------- d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\SUPERAntiSpyware.com
2007-07-31 20:59 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-07-31 01:09 --------- d-------- C:\Program Files\SpeedFan
2007-07-31 00:56 --------- d-------- C:\Program Files\ATMEL
2007-07-31 00:53 --------- d-------- C:\Program Files\GIGABYTE
2007-07-29 02:04 --------- d-------- C:\Program Files\Dreamcatcher
2007-07-21 22:05 --------- d-------- C:\Program Files\SmartPCTools
2007-07-19 06:32 --------- d-------- C:\DOCUME~1\CHIPS~1.MAT\APPLIC~1\Spyware Terminator
2007-07-19 00:31 --------- d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Lavasoft
2007-07-18 06:18 --------- d-------- C:\Program Files\MP3 Player Utilities 3.68
2007-07-18 01:34 77312 --a------ C:\WINDOWS\ua2.dll
2007-07-13 00:39 --------- d-------- C:\Program Files\Attack on Pearl Harbor
2005-11-23 23:50 286720 --a------ C:\DOCUME~1\chips\WebMagikUninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 22:05]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-06-29 02:09]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-12-17 20:25]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-12-17 20:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57]
"Viewbar"="C:\Program Files\AGLOCO Viewbar\Viewbar.exe" [2007-06-13 11:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [2007-09-11 00:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 16:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"WinAVX"="C:\WINDOWS\System32\WinAvXX.exe" [2007-09-11 00:45]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-06-29 02:09:28]
autorun.exe [2007-09-11 00:45:39]
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe [2006-08-01 23:09:43]

C:\DOCUME~1\CHIPS~1.MAT\STARTM~1\Programs\Startup\
system.exe [2007-09-11 00:45:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=0 (0x0)
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\System32\printer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoSys]

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\System32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\System32\DRIVERS\timntr.sys
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\System32\DRIVERS\RMSPPPOE.SYS
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys
S3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;C:\WINDOWS\System32\DRIVERS\NETDLWL.SYS
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\NSNDIS5.SYS
S3 SF-620;Kingsun SF-620 USB Infrared Adapter;C:\WINDOWS\System32\DRIVERS\SF-620.sys
S3 ZD1201U(Gigabyte);Gigabyte GN-WLBZ series IEEE 802.11b Wireless LAN Driver (USB)(Gigabyte);C:\WINDOWS\System32\DRIVERS\zd1201u.sys
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;\??\C:\WINDOWS\System32\ZDNDIS5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 20:55:50 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-09-12 18:43:14 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 01:09:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 1:10:29 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 01:10
.
--- E O F ---

A evo ponovo i HijackThis

Nema više linije 020

Citat:

Logfile of HijackThis v1.99.0
Scan saved at 1:17:56, on 11-9-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AGLOCO Viewbar\Viewbar.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chips.MATORY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Viewbar] C:\Program Files\AGLOCO Viewbar\Viewbar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D2E73A0-E528-46B4-AC71-1171499269AA}: NameServer = 212.200.78.141
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Unknown - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

Što se tiče poruke "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator" ona i dalje postoji na ovom user-u.

[ Binary Mind @ 11.09.2007. 00:26 ] @

Kako nisi mogao. Pa stikliras ga u HiJackThis! i kliknes na fix :)

Obrisi ove fileove rucno ako ih SmitFraudFix nije vec skinuo:

C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\vtr???.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\Documents and Settings\chips.MATORY\Application Data\Install.dat
C:\DOCUME~1\CHIPS~1.MAT\STARTM~1\Programs\Startup\system.exe
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\autorun.exe

Jesi li uradio sken u combofix-u :) Kad skines systems.txt reg value pomocu HiJackThis! odradi ponovo sva 3 scana (prvo Smithfraud pa HJT pa combofix) i postuj logove.

[ Binary Mind @ 11.09.2007. 00:29 ] @

Dok si ti pisao i drugi uzastopni post ja sam pisao svoj gornji post. Shvati to kao odgovor na tvoj predjasni post :)

[ Binary Mind @ 11.09.2007. 00:34 ] @

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Takodje u HiJacjThis! stikliraj ove vrednosti i klikni fix da ih izbrishes :)

[ Binary Mind @ 11.09.2007. 00:43 ] @

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - Global Startup: autorun.exe
O4 - Startup: system.exe

I ovo treba da izbrises u HJT!

[ chips @ 11.09.2007. 06:10 ] @

To je to. Svaka čast Binary!

Nema više neželjene poruke.

[ Binary Mind @ 11.09.2007. 12:57 ] @

Jos jedna stvar. Iskljuci System Restore restartuj racunar i ponovo ga ukljuci ako zelis da ga imas :)

I jos samo mi reci kako si pokupio SmitFraud :)

[ chips @ 11.09.2007. 14:09 ] @

System Restore je konstantno off. Nikada ga ne uključujem.

Gamad sam pokupio sa drugih hardova koje sam kačio na ovu mašinu da ih očistim. To su hardovi od prijatelja i poznanika koji su u kratkom vremenskom razdoblju bili napadnuti jedni za drugima.

Njima se računar restartovao pri podizanju sistema(lopovo je). Njima sam povrtio sisteme i računari su im proradili, ali sam zato ja pokupio što šta.

Inače nemam pojma gde sam baš tačno pokupio ovaj SmitFraud. Ako nešto zanš više o njemu, napiši.

I još jednom, havala.

[ Binary Mind @ 11.09.2007. 14:54 ] @

Uglavnom se kupi na sajtovima sa video sadrzajem (izmedju ostalog i na porno sajtovima) gde navodno moras da skines neke kodeke da bi gledao filmove i klipove :) Kada ga dobijes, u zavisnosti od varijante pojavljuju ti se lazni pop upovi o tome da imas spyware na kompu i da ako zelis da skines taj spyware moras da kupis punu verziju tog i tog antispyware programa (cista prevara). To bi bilo to ukratko. Neke druge varijante uzrokuju pojavljivanje laznih BSOD-a :) Sad o tome sta sve instaliraju i kako se skidaju to si vec naucio zar ne a ako dobijes neku drugu varijantu samo javi :)

[ Goran Mijailovic @ 18.09.2007. 15:25 ] @

Citat:

Binary Mind: Jos jedna stvar. Iskljuci System Restore restartuj racunar i ponovo ga ukljuci ako zelis da ga imas :)

I jos samo mi reci kako si pokupio SmitFraud :)

Pozdrav :)

izvinjavam se sto kasnim, bio sam odsutan.

Jel probao neko mozda SmitfraudFix? Kakva su vasa iskustva? Binarni ume?? ;)

[ Binary Mind @ 20.09.2007. 17:57 ] @

Pa resili smo covekov problem pomocu HiJackThis!-a, SmitFraudFix-a i ComboFix-a :) Dobar je SmitfraudFix. Moje iskustvo je da je bolji kao dijagnosticki alat nego totalno resenje problema. Tako smo ga ovde i koristili :) Brisanje problematicnih fajlova je bolje da se radi rucno. Antivirus programi i ostali security alati su prevashodno samo alati. Nisu trajna resenja. Onaj koji se oseca sigurno sto ima instaliran NOD32 ili KAV taj je u dubokoj zabludi. Probleme resava covek pomocu njih, svoje pameti i iskustva kako se videlo i u ovom primeru :)

_{[Ovu poruku je menjao Binary Mind dana 20.09.2007. u 22:10 GMT+1]}

[ nepo @ 02.10.2007. 23:07 ] @

cao,i meni treba pomoc,imam isti problem kao chips,a ne znam da protumacim log file od HijackThis-a..:(

Edit: sredio:)