| |
WORM/Conficker.Y.15 [worm]
|
|
|
|
 Poslao: 05 Feb 2010 11:55 |
|
|
|
|
ljudi ako mozete pomagajte 
imam problem sa confickerom Y 15,racunar nam je u mrezi od 10 racunara i zadnja tri mjeseca se javlja, avira ga detektuje ali ne moze da obrise ('WORM/Conficker.Y.15 [worm]'
detected in file 'C:\WINDOWS\system32\pwyhgaex.fo.)
i on se vraca naravno. nema nekih smetnji ali konstantno se javlja.
imam adsl 512kbp/s i 32 bitni racunar.
ako neko moze sto detaljnije da me navede,bio bih zahvalan,
evo pokusacu sve potrebno da prilozim,pa ako nesto nije kako treba javite,
hvala unaprijed
DDS (Ver_09-12-01.01) - NTFSx86
Run by pc at 11:48:05,35 on 04.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1448 [GMT 1:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {FDFE477F-8FE7-4B17-A05C-9D1F9EB603CB}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Dealio Toolbar\SearchSettings.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Terminal Services Client\MSTSC.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Terminal Services Client\MSTSC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\pc\Desktop\CONFICKER\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.ba/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\dealio toolbar\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SearchSettings] c:\program files\dealio toolbar\SearchSettings.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {41F91B00-7789-4660-9BDD-A083B38DA6C1} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-14 11608]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2007-12-6 660768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-14 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-14 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-14 56816]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-30 269648]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-30 19160]
S2 mndddtzr;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\msn messenger\usnsvc.exe [2007-1-19 97136]
=============== Created Last 30 ================
2010-01-14 11:44:30 0 d-----w- C:\nextBackup
==================== Find3M ====================
2010-01-14 10:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-08 05:25:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2002-01-25 14:57:52 3544576 -c--a-w- c:\program files\LIPSETUP.MSI
2009-08-24 11:22:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082420090825\index.dat
2009-08-27 17:33:09 2109472 --sha-w- c:\windows\system32\drivers\fidbox.dat
============= FINISH: 11:48:24,25 ===============
http://www.mycity.rs/uploads2/160094_1332088467_Attach.txt
http://www.mycity.rs/uploads2/160094_1170499170_Gmer1.log
http://www.mycity.rs/uploads2/160094_1466268989_Gmer2.log
http://www.mycity.rs/uploads2/160094_1189522601_Gmer3.txt
nadam se da sam dobro odradio sto je potrebno za pomoc, hvala unaprijed!!! |
|
|
|
|
|
| Poslao: 05 Feb 2010 12:09 |
|
|
|
|
Iskljuci racunar sa mreze.
Preuzmi sUBs-ov ComboFix sa sledeće adrese na Desktop:
Bleeping Computer
 Kada preuzimanje programa bude završeno:
- deaktiviraj zaštitni softver (uputstvo);
- zatvori pokrenute programe;
- dvoklikom pokreni program ComboFix.
U toku rada, ComboFix će:- proveriti postoji li novija verzija programa:
- klikni Yes ako bude ponuđeno preuzimanje iste.
- prikazati DISCLAIMER OF WARRANTY ON SOFTWARE:
- klikni Yes kako bi proces bio nastavljen.
- ako Recovery Console nije instalirana, ponuditi instalaciju:
- obavezno prihvati klikom na Yes i isprati postupak.
- postaviti/dati određeni broj upita/obaveštenja:
- prihvati klikom na Yes ili OK.
- po potrebi, restartovati Windows (više puta);
- na kraju rada, otvoriti Notepad sa izveštajem o skeniranju.
Iskopiraj izveštaj koji je ComboFix napravio u temu na forumu:
- klikni desnim tasterom miša u prozor Notepad-a i izaberi Select All;
- klikni desnim tasterom miša na obeleženi tekst i izaberi Copy;
- klikni desnim tasterom miša u polje za pisanje poruke i izaberi Paste.
Napomena:- Izveštaj će biti sačuvan pod nazivom ComboFix.txt na sistemskoj particiji (tipična lokacija: C:\ComboFix.txt);
- Ukoliko nakon slanja poruke primetiš da izveštaj nije kompletan, iskoristi opciju Prikači fajl za prilaganje file-a C:\ComboFix.txt uz poruku.
|
|
|
|
|
|
| Poslao: 05 Feb 2010 14:03 |
|
|
|
|
http://www.mycity.rs/uploads2/160094_1574765706_log.txt
evo log od combo fix....
ComboFix 10-02-04.06 - pc 05.02.2010 13:55:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1609 [GMT 1:00]
Running from: c:\documents and settings\pc\Desktop\CONFICKER\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {FDFE477F-8FE7-4B17-A05C-9D1F9EB603CB}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\docume~1\pc\LOCALS~1\Temp\svchost.exe
c:\documents and settings\pc\Application Data\Microsoft\svchost.exe
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\config.ini
c:\program files\Dealio Toolbar\DealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettings.exe
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.
2010-02-05 11:39 . 2010-02-05 11:41 -------- d-----w- C:\Precice programa
2010-02-04 11:39 . 2010-02-04 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-02-04 11:39 . 2010-02-04 11:39 -------- d-----w- c:\documents and settings\pc\Application Data\AVS4YOU
2010-02-04 11:38 . 2010-02-04 11:39 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-04 11:38 . 2003-05-21 23:50 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-02-04 11:38 . 2003-05-21 11:50 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-04 11:38 . 2010-02-04 11:39 -------- d-----w- c:\program files\AVS4YOU
2010-01-14 12:01 . 2006-04-25 05:07 69120 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43e.DLL
2010-01-14 11:44 . 2010-01-14 11:57 -------- d-----w- C:\nextBackup
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 05:31 . 2009-04-07 12:44 -------- d-----w- c:\program files\Google
2010-01-29 14:08 . 2009-02-20 13:39 -------- d-----w- c:\documents and settings\pc\Application Data\BitTorrent
2010-01-14 10:12 . 2009-10-14 12:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 07:12 . 2009-02-22 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-03 09:22 . 2010-01-03 09:22 -------- d-----w- c:\documents and settings\pc\Application Data\Apple Computer
2009-12-26 08:55 . 2009-03-07 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-21 19:14 . 2004-08-03 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 12:31 . 2009-02-19 12:13 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-12-08 05:25 . 2009-10-14 11:15 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-25 12:06 . 2009-08-05 06:02 117760 ----a-w- c:\documents and settings\pc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-21 15:51 . 2004-08-03 22:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 10:00 . 2009-11-12 10:00 2686232 ----a-w- c:\documents and settings\All Users\Application Data\SolidDocuments\Installer\Solid Converter PDF\pc\SolidSFX_Data\components\vcredist_x86.exe
2002-01-25 14:57 . 2008-09-11 18:49 3544576 -c--a-w- c:\program files\LIPSETUP.MSI
2009-08-27 17:33 . 2009-08-27 11:11 2109472 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 20:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-10-07 04:16 323392 ----a-w- c:\program files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicKey]
2004-03-15 12:27 45056 ----a-w- c:\progra~1\MEDIAK~1\MagicKey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 14:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-02-07 15:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 15:51 36864 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-03-31 18:28 155648 -c--a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8520:TCP"= 8520:TCP:ovwfkqq
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [06.12.2007 21:03 660768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14.10.2009 12:15 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30.07.2009 07:56 269648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30.07.2009 07:56 19160]
S2 mndddtzr;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [03.08.2004 23:56 14336]
S2 opkmm;Support Boot;c:\windows\system32\svchost.exe -k netsvcs [03.08.2004 23:56 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03.11.2006 18:19 13592]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [19.01.2007 12:54 97136]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - OPKMM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
opkmm
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 02:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 12:45]
2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 12:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {41F91B00-7789-4660-9BDD-A083B38DA6C1} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Dealio Toolbar\SearchSettings.dll
BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
BHO-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - c:\program files\Dealio Toolbar\SearchSettings.dll
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - c:\program files\Dealio Toolbar\DealioToolbarIE.dll
HKLM-Run-SearchSettings - c:\program files\Dealio Toolbar\SearchSettings.exe
MSConfigStartUp-Adobe_ID0EYTHM - c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mndddtzr]
"ServiceDll"="c:\windows\system32\pwyhgaex.dll.old"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\opkmm]
"ServiceDll"="c:\windows\system32\pwyhgaex.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-05 14:00:39
ComboFix-quarantined-files.txt 2010-02-05 13:00
ComboFix2.txt 2009-08-24 09:45
Pre-Run: 91.546.669.056 bytes free
Post-Run: 93.585.260.544 bytes free
- - End Of File - - 6538D18BC11D34D97A86EEB32B99D24C |
|
|
|
|
|
| Poslao: 05 Feb 2010 20:52 |
|
|
|
|
Otvoriti Notepad i iskopirati sledeci tekst:
| Kod: | File::
c:\windows\system32\pwyhgaex.dll
c:\windows\system32\pwyhgaex.dll.old
Driver::
mndddtzr
opkmm
NetSvcs::
opkmm
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8520:TCP"=- |
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja. |
|
|
|
|
|
| Poslao: 06 Feb 2010 15:31 |
|
|
|
|
Mislim da sam sve doboro odradio. Evo ga log file.
http://www.mycity.rs/uploads2/160094_1842540336_Comobofix%201%20log.txt
ComboFix 10-02-04.06 - pc 06.02.2010 15:14:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2047.1625 [GMT 1:00]
Running from: c:\documents and settings\pc\Desktop\CONFICKER\ComboFix.exe
Command switches used :: c:\documents and settings\pc\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {FDFE477F-8FE7-4B17-A05C-9D1F9EB603CB}
FILE ::
"c:\windows\system32\pwyhgaex.dll"
"c:\windows\system32\pwyhgaex.dll.old"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MNDDDTZR
-------\Legacy_OPKMM
-------\Service_mndddtzr
-------\Service_opkmm
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.
2010-02-05 11:39 . 2010-02-05 11:41 -------- d-----w- C:\Precice programa
2010-02-04 11:39 . 2010-02-04 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-02-04 11:39 . 2010-02-04 11:39 -------- d-----w- c:\documents and settings\pc\Application Data\AVS4YOU
2010-02-04 11:38 . 2010-02-04 11:39 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-04 11:38 . 2003-05-21 23:50 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-02-04 11:38 . 2003-05-21 11:50 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-04 11:38 . 2010-02-04 11:39 -------- d-----w- c:\program files\AVS4YOU
2010-01-14 12:01 . 2006-04-25 05:07 69120 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp43e.DLL
2010-01-14 11:44 . 2010-01-14 11:57 -------- d-----w- C:\nextBackup
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 05:31 . 2009-04-07 12:44 -------- d-----w- c:\program files\Google
2010-01-29 14:08 . 2009-02-20 13:39 -------- d-----w- c:\documents and settings\pc\Application Data\BitTorrent
2010-01-14 10:12 . 2009-10-14 12:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 07:12 . 2009-02-22 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-03 09:22 . 2010-01-03 09:22 -------- d-----w- c:\documents and settings\pc\Application Data\Apple Computer
2009-12-26 08:55 . 2009-03-07 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-21 19:14 . 2004-08-03 22:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-14 12:31 . 2009-02-19 12:13 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-12-08 05:25 . 2009-10-14 11:15 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-25 12:06 . 2009-08-05 06:02 117760 ----a-w- c:\documents and settings\pc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-21 15:51 . 2004-08-03 22:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 10:00 . 2009-11-12 10:00 2686232 ----a-w- c:\documents and settings\All Users\Application Data\SolidDocuments\Installer\Solid Converter PDF\pc\SolidSFX_Data\components\vcredist_x86.exe
2002-01-25 14:57 . 2008-09-11 18:49 3544576 -c--a-w- c:\program files\LIPSETUP.MSI
2009-08-27 17:33 . 2009-08-27 11:11 2109472 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((( SnapShot@2010-02-05_12.59.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-06 14:19 . 2010-02-06 14:19 16384 c:\windows\temp\Perflib_Perfdata_370.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 20:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-10-07 04:16 323392 ----a-w- c:\program files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicKey]
2004-03-15 12:27 45056 ----a-w- c:\progra~1\MEDIAK~1\MagicKey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 14:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-02-07 15:24 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
2002-12-16 15:51 36864 ----a-w- c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
2003-03-31 18:28 155648 -c--a-w- c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [06.12.2007 21:03 660768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [14.10.2009 12:15 108289]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30.07.2009 07:56 269648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30.07.2009 07:56 19160]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03.11.2006 18:19 13592]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [19.01.2007 12:54 97136]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 02:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 12:45]
2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 12:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {41F91B00-7789-4660-9BDD-A083B38DA6C1} = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 15:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-02-06 15:25:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-06 14:25
ComboFix2.txt 2010-02-05 13:00
ComboFix3.txt 2009-08-24 09:45
Pre-Run: 93.596.278.784 bytes free
Post-Run: 93.454.151.680 bytes free
- - End Of File - - AFA912E658768446AD72C95069BB8411 |
|
|
|
|
|
| Poslao: 06 Feb 2010 17:27 |
|
|
|
|
Na tvom PC-u Conficker vise nije aktivan.
Potrebno je deinstalirati ComboFix:
- klikni start (ili
 ), a zatim RUN.
Na Visti koristiti Start Search polje ukoliko Run nije dostupan.
- U liniju za unos teksta ukucaj (iskopiraj) sledeće:
- ComboFix /Uninstall
Primeti da postoji razmak između "ComboFix" i "/Uninstall".
- a zatim klikni OK (ili pritisni Enter).
Sačekaj da se proces deinstalacije završi.
----------------------------------------
O kakvoj se mrezi radi, da li je to privatna mreza?
Ukoliko ti AV detektuje Conficker to dolazi sa mreze. |
|
|
|
|
|
| Poslao: 08 Feb 2010 09:45 |
|
|
|
|
----------- Napisano: 06 Feb 2010 19:38 ---------
mreza je na poslu,, od 10 tak racunara,ali amo na ovom kompu ga primjeti,samo na njemu,,nikad na drugom. a vidjecu u ponedeljak ima li ga pa se javim, hvala mnogo,pravi ste!!!
----------- Dopuna: 08 Feb 2010 9:45 ---------
evo mene
sve sam odradio,ali kao sto si i pretpostavio conficker je negdje u mrezi, tako da je opet se antivira oglasila,na ovom istom racunaru.
Ako znas sta bi bilo rjesenje ajde kazi pa da vidim ima li sanse da to odradim, hvala jos jednom!
pozdrav |
|
|
|
|
|
| Poslao: 08 Feb 2010 10:05 |
|
|
|
|
Krajnje resenje je da se svi racunari otkace sa mreze i da se ciste jedan po jedan.
Ali posto je to mreza u firmi, mi to ne radimo, ipak smo mi samo volonteri a ovde se radi o profesionalnoj organizaciji.
Sto se tice tvog racunara, skini ovu zakrpu http://www.microsoft.com/downloads/details.aspx?fa.....laylang=en
Diskonektuj se sa mreze i interneta i instaliraj je. |
|
|
|
|
|
| Poslao: 08 Feb 2010 12:30 |
|
|
|
|
ok,razumijem i ispravno 100 %. ni meni nije da cistim po firmi ;( ja sam mislio da je do mog kompa,, samo to.
jos jednom samo da kazem da sam odusevljen vasim radom,,znanjem i azurnosti,,HVALA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
|
|
|
|
|
  |
Strana 1 od 1
|
(Registrovanim korisnicima se NE prikazuju reklame)
Ukupno su 90 korisnika na forumu :: 4 Registrovanih, 1 Sakrivenih i 85 Gosta :: [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije
Najviše korisnika na forumu ikad bilo je 972 - dana 26 Okt 2008 13:06
Korisnici trenutno na forumu: Da vam Bata nešto kaže..., lolacaty, Strog, Žan Klod vam dam |
|
Turista 
