Elite.bar virus - help

1

Elite.bar virus - help

offline
  • Pridružio: 17 Okt 2008
  • Poruke: 5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:18, on 17.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Korisnik\Desktop\Virusna zastita\tr3.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsAPI32] C:\rmxgdx.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FEF9E6-2A8E-4D1F-B4AD-513377348629}: NameServer = 195.222.32.10 195.222.32.20
O20 - Winlogon Notify: kiwcrky - kiwcrky.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 5348 bytes

Nakon sto sam probao ukloniti viruse sa zarazenog pc-a adaware-om, i NOD32, uklonio sam skoro sve osim elitum/elite.bar (mislim da se tako zove). Antivirus ga prepoznaje, ali se uvijek nanovo pojavljuje, posebno kad se konektujem na internet.
Zahvaljujem na pomoci...

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Poz...


Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 17 Okt 2008
  • Poruke: 5

ComboFix 08-10-16.08 - Korisnik 2008-10-17 15:15:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.191 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Korisnik\Application Data\Adobe\crc.dat
C:\Documents and Settings\Korisnik\Application Data\Adobe\Player.exe.bak
C:\WINDOWS\system32\_004607_.tmp.dll
C:\WINDOWS\system32\_004608_.tmp.dll
C:\WINDOWS\system32\_004609_.tmp.dll
C:\WINDOWS\system32\_004610_.tmp.dll
C:\WINDOWS\system32\_004617_.tmp.dll
C:\WINDOWS\system32\_004619_.tmp.dll
C:\WINDOWS\system32\_004620_.tmp.dll
C:\WINDOWS\system32\_004622_.tmp.dll
C:\WINDOWS\system32\_004623_.tmp.dll
C:\WINDOWS\system32\_004626_.tmp.dll
C:\WINDOWS\system32\_004627_.tmp.dll
C:\WINDOWS\system32\_004629_.tmp.dll
C:\WINDOWS\system32\_004630_.tmp.dll
C:\WINDOWS\system32\_004631_.tmp.dll
C:\WINDOWS\system32\_004633_.tmp.dll
C:\WINDOWS\system32\_004636_.tmp.dll
C:\WINDOWS\system32\_004637_.tmp.dll
C:\WINDOWS\system32\_004641_.tmp.dll
C:\WINDOWS\system32\_004642_.tmp.dll
C:\WINDOWS\system32\_004644_.tmp.dll
C:\WINDOWS\system32\_004647_.tmp.dll
C:\WINDOWS\system32\_004649_.tmp.dll
C:\WINDOWS\system32\_004651_.tmp.dll
C:\WINDOWS\system32\_004652_.tmp.dll
C:\WINDOWS\system32\_004653_.tmp.dll
C:\WINDOWS\system32\_004656_.tmp.dll
C:\WINDOWS\system32\_004657_.tmp.dll
C:\WINDOWS\system32\_004658_.tmp.dll
C:\WINDOWS\system32\_004659_.tmp.dll
C:\WINDOWS\system32\_004660_.tmp.dll
C:\WINDOWS\system32\_004665_.tmp.dll
C:\WINDOWS\system32\_004667_.tmp.dll

----- BITS: Possible infected sites -----

hxxp://78.157.143.163
hxxp://91.203.93.6
hxxp://78.157.143.198
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))))
.

2008-10-17 11:48 . 2008-10-17 11:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 15:49 . 2008-10-16 15:49 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Uniblue
2008-10-16 15:27 . 2008-10-16 15:27 2,472 --a------ C:\clean.bat
2008-10-16 14:07 . 2008-10-16 19:46 <DIR> d-------- C:\Program Files\True Sword 5
2008-10-16 14:07 . 2008-10-16 14:07 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\True Sword
2008-10-16 13:37 . 2008-10-16 13:37 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Malwarebytes
2008-10-16 13:37 . 2008-10-16 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-15 19:52 . 2008-10-17 15:22 93,918 --a------ C:\WINDOWS\system32\drivers\8b09a4f8.sys
2008-10-13 12:51 . 2008-10-13 12:51 138,560 --a------ C:\WINDOWS\system32\drivers\ati2orxx.sys
2008-10-13 12:50 . 2008-10-13 13:08 2,933 --a------ C:\Documents and Settings\Korisnik\iuns.exe
2008-10-12 20:21 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-10-12 20:20 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-10-12 20:20 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-10-12 20:20 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-10-12 20:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-10-12 20:20 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-10-12 20:20 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-09-25 01:49 . 2008-09-25 01:49 <DIR> d-------- C:\Program Files\whyEye.org
2008-09-25 01:44 . 2008-09-25 01:44 <DIR> d-------- C:\Program Files\IrfanView
2008-09-21 21:53 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 09:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-13 10:50 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-10-09 19:02 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\LimeWire
2008-09-25 10:57 --------- d-----w C:\Program Files\Google
2008-09-23 14:34 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Image Zone Express
2008-09-09 21:28 --------- d-----w C:\Program Files\FreeGamePick.com
2008-09-03 18:19 --------- d-----w C:\Program Files\UBISOFT
2008-09-03 18:15 13,312 ----a-w C:\WINDOWS\system32\svrapi.dll
2008-08-29 20:02 --------- d-----w C:\Program Files\Labtec
2008-08-21 19:40 --------- d-----w C:\Program Files\Lavasoft
2008-08-21 19:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-18 19:24 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Emme
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-03-20 516096]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-24 917504]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-01 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-30 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2orxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3uxxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ehxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5koxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7mpxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8vaxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

S0 ati2orxx;ati2orxx;C:\WINDOWS\system32\Drivers\ati2orxx.sys [2008-10-13 138560]
S0 ati5ehxx;ati5ehxx;C:\WINDOWS\system32\Drivers\ati5ehxx.sys [ ]
S0 ati5koxx;ati5koxx;C:\WINDOWS\system32\Drivers\ati5koxx.sys [ ]
S0 ati7mpxx;ati7mpxx;C:\WINDOWS\system32\Drivers\ati7mpxx.sys [ ]
S0 ati8vaxx;ati8vaxx;C:\WINDOWS\system32\Drivers\ati8vaxx.sys [ ]
S1 7ba1e85;7ba1e85;C:\WINDOWS\system32\drivers\7ba1e85.sys [ ]
S1 dedae377;dedae377;C:\WINDOWS\system32\drivers\dedae377.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e9ca49a-4e76-11dd-8de1-0040f497ce7c}]
\Shell\AutoOpen\command - F:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9707f3f-1142-11dd-8cc6-0040f497ce7c}]
\Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b184724c-1f99-11dd-8d13-0040f497ce7c}]
\Shell\AutoOpen\command - F:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-17 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 21:45]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WindowsAPI32 - C:\rmxgdx.exe
HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
Notify-kiwcrky - kiwcrky.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\qu7l717h.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.bljesak.info/
FF -: plugin - C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\1.2.131.19\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1202.1501\npCIDetect11.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-17 15:21:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8b09a4f8]
"ImagePath"="\SystemRoot\System32\drivers\8b09a4f8.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-17 15:27:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-17 13:27:08

Pre-Run: 13.652.836.352 bytes free
Post-Run: 14,206,808,064 bytes free

198

dr bora, trebam lči jos nesto uciniti...
poz

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\system32\drivers\8b09a4f8.sys
C:\WINDOWS\system32\drivers\ati2orxx.sys
C:\Documents and Settings\Korisnik\iuns.exe

Driver::
ati2orxx
ati5ehxx
ati5koxx
ati7mpxx
ati8vaxx
7ba1e85
dedae377
8b09a4f8

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2orxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3uxxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ehxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5koxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7mpxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8vaxx.sys]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e9ca49a-4e76-11dd-8de1-0040f497ce7c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9707f3f-1142-11dd-8cc6-0040f497ce7c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b184724c-1f99-11dd-8d13-0040f497ce7c}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 17 Okt 2008
  • Poruke: 5

ComboFix 08-10-16.08 - Korisnik 2008-10-17 19:33:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.174 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Korisnik\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Korisnik\iuns.exe
C:\WINDOWS\system32\drivers\8b09a4f8.sys
C:\WINDOWS\system32\drivers\ati2orxx.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Korisnik\iuns.exe
C:\WINDOWS\system32\drivers\8b09a4f8.sys
C:\WINDOWS\system32\drivers\ati2orxx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_7ba1e85
-------\Service_8b09a4f8
-------\Service_ati2orxx
-------\Service_ati5ehxx
-------\Service_ati5koxx
-------\Service_ati7mpxx
-------\Service_ati8vaxx
-------\Service_dedae377


((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))))
.

2008-10-17 11:48 . 2008-10-17 11:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 15:49 . 2008-10-16 15:49 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Uniblue
2008-10-16 15:27 . 2008-10-16 15:27 2,472 --a------ C:\clean.bat
2008-10-16 14:07 . 2008-10-16 19:46 <DIR> d-------- C:\Program Files\True Sword 5
2008-10-16 14:07 . 2008-10-16 14:07 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\True Sword
2008-10-16 13:37 . 2008-10-16 13:37 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\Malwarebytes
2008-10-16 13:37 . 2008-10-16 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 20:21 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-10-12 20:20 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-10-12 20:20 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-10-12 20:20 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-10-12 20:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-10-12 20:20 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-10-12 20:20 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-09-25 01:49 . 2008-09-25 01:49 <DIR> d-------- C:\Program Files\whyEye.org
2008-09-25 01:44 . 2008-09-25 01:44 <DIR> d-------- C:\Program Files\IrfanView
2008-09-21 21:53 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 09:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-13 10:50 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-10-09 19:02 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\LimeWire
2008-09-25 10:57 --------- d-----w C:\Program Files\Google
2008-09-23 14:34 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Image Zone Express
2008-09-09 21:28 --------- d-----w C:\Program Files\FreeGamePick.com
2008-09-03 18:19 --------- d-----w C:\Program Files\UBISOFT
2008-09-03 18:15 13,312 ----a-w C:\WINDOWS\system32\svrapi.dll
2008-08-29 20:02 --------- d-----w C:\Program Files\Labtec
2008-08-21 19:40 --------- d-----w C:\Program Files\Lavasoft
2008-08-21 19:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-21 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-18 19:24 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Emme
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-15 133104]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-03-20 516096]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-24 917504]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-01 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-30 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2008-10-17 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Korisnik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-15 21:45]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-10-17 19:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-17 19:43:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-17 17:43:35
ComboFix2.txt 2008-10-17 13:27:14

Pre-Run: 14.209.032.192 bytes free
Post-Run: 14,199,750,656 bytes free

129

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Klikni desnim tasterom na file C:\clean.bat i izaberi opciju Edit.

File će se otvoriti u Notepad-u - iskopiraj ovde njegov sadržaj.

offline
  • Pridružio: 17 Okt 2008
  • Poruke: 5

del c:\*.tmp
del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del %windir%\system32\kalv*.* /f
del %windir%\system32\elite*.* /f
del C:\documents and settings\*\local settings\temp\*.* /f
CLS
ECHO OFF
ECHO Elite Toolbar Removal Batch File
ECHO Created by Nyquist on 19th Feb 2005.
ECHO OFF
ECHO Removing Elite Tool Bar directories.
ECHO Searching %windir%
IF EXIST %windir%\elitetoolbar\nul DELTREE /y %windir%\elitebar
IF EXIST %windir%\elitetoolbar\nul DELTREE /y %windir%\elitetoolbar
IF EXIST %windir%\elitesidebar\nul DELTREE /y %windir%\elitesidebar
ECHO Searching %temp%
IF EXIST %temp%\elitetoolbar\nul DELTREE /y %temp%\elitebar
IF EXIST %temp%\elitetoolbar\nul DELTREE /y %temp%\elitetoolbar
IF EXIST %temp%\elitesidebar\nul DELTREE /y %temp%\elitesidebar
ECHO Searching %windir%\SYSTEM
IF EXIST %windir%\SYSTEM\elitetoolbar\nul DELTREE /y %windir%\SYSTEM\elitebar
IF EXIST %windir%\SYSTEM\elitetoolbar\nul DELTREE /y %windir%\SYSTEM\elitetoolbar
IF EXIST %windir%\SYSTEM\elitesidebar\nul DELTREE /y %windir%\SYSTEM\elitesidebar
ECHO Searching %windir%\SYSTEM32
IF EXIST %windir%\SYSTEM32\elitetoolbar\nul DELTREE /y %windir%\SYSTEM32\elitebar
IF EXIST %windir%\SYSTEM32\elitetoolbar\nul DELTREE /y %windir%\SYSTEM32\elitetoolbar
IF EXIST %windir%\SYSTEM32\elitesidebar\nul DELTREE /y %windir%\SYSTEM32\elitesidebar
ECHO Removing Elite Tool Bar files.
ECHO Searching %windir%
IF EXIST %windir%\eliteerror.dat DEL %windir%\eliteerror.dat
IF EXIST %windir%\eliteerror32.dat DEL %windir%\eliteerror32.dat
IF EXIST %windir%\system\elitedoolsav.dat DEL %windir%\system\elitedoolsav.dat
IF EXIST %windir%\system\eliteerror.dat DEL %windir%\system\eliteerror.dat
IF EXIST %windir%\system\eliteerror32.dat DEL %windir%\system\eliteerror32.dat
IF EXIST %windir%\system32\eliteerror.dat DEL %windir%\system32\eliteerror.dat
IF EXIST %windir%\system32\eliteerror32.dat DEL %windir%\system32\eliteerror32.dat
ECHO Removing startup hooks.
IF EXIST %temp%\suicidetb.exe DEL %temp%\suicidetb.exe
IF EXIST %windir%\system\elite*.exe DEL %windir%\system\elite*.exe
IF EXIST %windir%\system\elite*.exe DEL %windir%\system32\elite*.exe
IF EXIST %windir%\system\kalv*.exe DEL %windir%\system\kalv*.exe
IF EXIST %windir%\system\kalv*.exe DEL %windir%\system32\kalv*.exe
IF EXIST %windir%\system\msnmsgq32*.exe DEL %windir%\system\msnmsgq32.exe
IF EXIST %windir%\system\shch.exe DEL %windir%\system\shch.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ok. Kakvo je sada stanje?

Detektuje li AV nešto? Ako da, šta tačno je u pitanju (zanima me lokacija detektovanih file-ova)?

offline
  • Pridružio: 17 Okt 2008
  • Poruke: 5

Zasad nista prije zadnjeg skeniranja sa Combom, NOD32 je trazio da prijavim sumnjive fileove na njihovu stranicu (sto mi se inace desavalo u zadnja dva dana vise puta). Nakon sto sam prekopirao txt file u combo i restarta, nista se vise nije desilo, sto znaci da nema problema. Jos cu pokusati jednom sken NOD-om, a onda adaware-om, ali mislim da je to - to.
Javicu se nakon skena, ali u svakom slucaju, nemas uzalud prefiks dr. Hvala puno

Dopuna: 17 Okt 2008 21:15

Zavrsio skeniranje, nema prijavljenih problema.
Thanx a lot.
Pozdrav

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Uradi sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



To je sve.

poz

Ko je trenutno na forumu
 

Ukupno su 1336 korisnika na forumu :: 33 registrovanih, 4 sakrivenih i 1299 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, amaterSRB, antonije64, Asparagus, Batinas, bojank, bokisha253, Boris90, BSD, Dimitrije Paunovic, DonRumataEstorski, drimer, Fabius, Georgius, gorval, JimmyNapoli, Kibice, kihot, kuntalo, Leonov, Mcdado, milenko crazy north, milutin134, novator, sasa87, shadower78, Skywhaler, Srky Boy, stegonosa, Toper, Trpe Grozni, vasa.93, vathra