MyCity » Ambulanta -> Arhiva Ambulante » Molim provjeru log-a

Molim provjeru log-a

Napisano na dan: 16.12.2008
1

Molim provjeru log-a
Sledeća strana Pagination

Idi na vrh

Poslao: 16 Dec 2008 21:58
Idi na vrh
offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:24 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Predsjednistvo BiH\Desktop\neda.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [Link mogu videti samo ulogovani korisnici]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [Link mogu videti samo ulogovani korisnici]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [Link mogu videti samo ulogovani korisnici]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [Link mogu videti samo ulogovani korisnici]\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



Poslao: 16 Dec 2008 23:12
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...

Log je čist. Postoji li neki problem?



Poslao: 17 Dec 2008 09:56
Idi na vrh
offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

To mi je racunar u firmi.
S vremena na vrijeme mi se monitor ugasi, tj. ode u standby, ali ZA VRIJEME rada na racunaru. I onda ga moram ugasiti i upaliti ponovo (monitor).
I Kasperski nece da se update-uje,a licenciran je. Kada probam, samo pise 0Kb update.

Poslao: 17 Dec 2008 16:03
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pa, to sa monitorom sigurno nema veze sa malware-om.

A za ovo drugo ćemo odraditi još jednu proveru...


Skini ComboFix sa jedne od sledecih adresa na Desktop:
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]
[Link mogu videti samo ulogovani korisnici]

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

Poslao: 25 Dec 2008 13:20
Idi na vrh
offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

Pred kraj downloada Kasp mi izbaci da je ovo virus
"Heue.Invader
malicious http object
detected". Kliknem da dopusti download, pa ga pokrenem i onda on izbaci prozor upozorenje i pise corrupt i pise "download fresh copy or retry instalation corrupt file"

Poslao: 25 Dec 2008 13:43
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Deaktiviraj Kaspersky pre download-a.

Poslao: 25 Dec 2008 14:42
Idi na vrh
offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

ComboFix 08-12-24.01 - Predsjednistvo BiH 2008-12-25 14:22:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.614 [GMT 1:00]
Running from: c:\documents and settings\Predsjednistvo BiH\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\abk.bat
C:\autorun.inf
C:\lky.exe
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
C:\yannh.cmd
E:\abk.bat
E:\Autorun.inf
E:\lky.exe
E:\yannh.cmd

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 13:29 2,071,584 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-25 13:28 128,032 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-25 13:26 29,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-25 13:26 14,024 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-25 13:08 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-25 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 10:11 91,700 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-24 10:11 85,860 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-24 10:11 --------- d-----w c:\program files\Lavasoft
2008-11-24 10:11 --------- d-----w c:\program files\Kaspersky Lab
2008-11-24 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-12 10:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 10:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 10:42 --------- d-----w c:\program files\Uniblue
2008-11-12 10:42 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Uniblue
2008-11-12 10:38 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-11-12 10:38 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\iolo
2008-11-12 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-12 10:27 --------- d-----w c:\program files\Innovative Solutions
2008-11-12 10:19 --------- d-----w c:\program files\Alwil Software
2008-11-12 09:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 08:33 84,992 --sh--r c:\windows\system32\kav320.dll
2008-11-12 08:26 99,504 --sh--r C:\ogcikeq.com
2008-11-12 08:26 84,992 --sh--r c:\windows\system32\kav321.dll
2008-11-11 10:27 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\oald7
2008-11-11 10:26 90,112 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-11 10:26 126,976 ----a-w c:\windows\system32\UAService7.exe
2008-11-11 10:26 --------- d-----w c:\program files\TEXTware
2008-11-11 10:26 --------- d-----w c:\program files\IDM
2008-11-11 10:26 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\SecuROM
2008-11-11 10:24 --------- d-----w c:\program files\Oxford
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Thunderbird
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Talkback
2008-10-30 12:56 --------- d-----w c:\program files\Hewlett-Packard
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-02-28 13:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-12 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-12 20560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b59-c2a2-11dd-99eb-001a923a6071}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b75-c2a2-11dd-99eb-001a923a6071}]
\Shell\AutoOpen\command - f:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39bac86c-aff4-11dd-99c1-001a923a6071}]
\Shell\AutoRun\command - F:\lky.exe
\Shell\explore\Command - F:\lky.exe
\Shell\open\Command - F:\lky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ffcc7ea-743b-11dd-99a8-001a923a6071}]
\Shell\AutoRun\command - F:\bwpncb6.com
\Shell\explore\Command - F:\bwpncb6.com
\Shell\open\Command - F:\bwpncb6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4996278e-ab18-11dd-99b7-001a923a6071}]
\Shell\AutoRun\command - F:\i.exe
\Shell\explore\Command - F:\i.exe
\Shell\open\Command - F:\i.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535b2720-bd24-11dd-99e3-001a923a6071}]
\Shell\AutoRun\command - F:\e8kj.exe
\Shell\explore\Command - F:\e8kj.exe
\Shell\open\Command - F:\e8kj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65ba1eb4-afdd-11dd-99c0-001a923a6071}]
\Shell\AutoRun\command - F:\qquq.bat
\Shell\explore\Command - F:\qquq.bat
\Shell\open\Command - F:\qquq.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94165b8c-00b1-11dd-9985-001a923a6071}]
\Shell\AutoRun\command - F:\0n.bat
\Shell\explore\Command - F:\0n.bat
\Shell\open\Command - F:\0n.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97b1a0ee-8852-11dc-9925-001a923a6071}]
\Shell\AutoRun\command - F:\lky.exe
\Shell\explore\Command - F:\lky.exe
\Shell\open\Command - F:\lky.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{998b8b6e-a683-11dd-99af-001a923a6071}]
\Shell\AutoRun\command - F:\ln9.exe
\Shell\explore\Command - F:\ln9.exe
\Shell\open\Command - F:\ln9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e8ce77-b482-11dd-99d3-001a923a6071}]
\Shell\AutoRun\command - F:\yannh.cmd
\Shell\explore\Command - F:\yannh.cmd
\Shell\open\Command - F:\yannh.cmd
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kamsoft - c:\windows\system32\kamsoft.exe


.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Predsjednistvo BiH\Application Data\Mozilla\Firefox\Profiles\2it2118y.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-25 14:28:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1040)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(3980)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\ATKKBService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\UAService7.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-25 14:30:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-25 13:30:40

Pre-Run: 38,346,174,464 bytes free
Post-Run: 38,357,434,368 bytes free

201 --- E O F --- 2008-12-18 16:49:26

Poslao: 25 Dec 2008 15:23
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\kav320.dll
C:\ogcikeq.com
c:\windows\system32\kav321.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b59-c2a2-11dd-99eb-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17214b75-c2a2-11dd-99eb-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39bac86c-aff4-11dd-99c1-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ffcc7ea-743b-11dd-99a8-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4996278e-ab18-11dd-99b7-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{535b2720-bd24-11dd-99e3-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65ba1eb4-afdd-11dd-99c0-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94165b8c-00b1-11dd-9985-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97b1a0ee-8852-11dc-9925-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{998b8b6e-a683-11dd-99af-001a923a6071}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e8ce77-b482-11dd-99d3-001a923a6071}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Poslao: 25 Dec 2008 15:51
Idi na vrh
offline
  • Pridružio: 20 Mar 2007
  • Poruke: 97

ComboFix 08-12-24.01 - Predsjednistvo BiH 2008-12-25 15:37:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.551 [GMT 1:00]
Running from: c:\documents and settings\Predsjednistvo BiH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Predsjednistvo BiH\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\ogcikeq.com
c:\windows\system32\kav320.dll
c:\windows\system32\kav321.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ogcikeq.com
c:\windows\system32\kav320.dll
c:\windows\system32\kav321.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 14:41 2,204,192 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-25 14:40 132,640 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-25 14:22 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-25 13:26 29,432 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-25 13:26 14,024 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-25 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-24 10:11 91,700 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-24 10:11 85,860 ----a-w c:\windows\system32\drivers\klick.dat
2008-11-24 10:11 --------- d-----w c:\program files\Lavasoft
2008-11-24 10:11 --------- d-----w c:\program files\Kaspersky Lab
2008-11-24 10:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-12 10:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 10:46 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 10:42 --------- d-----w c:\program files\Uniblue
2008-11-12 10:42 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Uniblue
2008-11-12 10:38 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-11-12 10:38 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\iolo
2008-11-12 10:38 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-12 10:27 --------- d-----w c:\program files\Innovative Solutions
2008-11-12 10:19 --------- d-----w c:\program files\Alwil Software
2008-11-12 09:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 10:27 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\oald7
2008-11-11 10:26 90,112 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-11 10:26 126,976 ----a-w c:\windows\system32\UAService7.exe
2008-11-11 10:26 --------- d-----w c:\program files\TEXTware
2008-11-11 10:26 --------- d-----w c:\program files\IDM
2008-11-11 10:26 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\SecuROM
2008-11-11 10:24 --------- d-----w c:\program files\Oxford
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Thunderbird
2008-11-06 11:37 --------- d-----w c:\documents and settings\Predsjednistvo BiH\Application Data\Talkback
2008-10-30 12:56 --------- d-----w c:\program files\Hewlett-Packard
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-02-28 13:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-12 75856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-12 20560]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 AVPsys;AVPsys;\??\c:\windows\system32\drivers\cdaudio.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = [Link mogu videti samo ulogovani korisnici]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Predsjednistvo BiH\Application Data\Mozilla\Firefox\Profiles\2it2118y.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [Link mogu videti samo ulogovani korisnici]
Rootkit scan 2008-12-25 15:40:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1040)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
.
Completion time: 2008-12-25 15:42:48
ComboFix-quarantined-files.txt 2008-12-25 14:42:44
ComboFix2.txt 2008-12-25 13:30:48

Pre-Run: 38,394,667,008 bytes free
Post-Run: 38,377,701,376 bytes free

137 --- E O F --- 2008-12-18 16:49:26

Poslao: 25 Dec 2008 22:32
Idi na vrh
offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pa, ovde više nema malware-a.
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore


Za sve preostale probleme ćeš morati potražiti savete u nekom drugom delu foruma.

MyCity » Ambulanta -> Arhiva Ambulante » Molim provjeru log-a

Ko je trenutno na forumu
 

Ukupno su 1387 korisnika na forumu :: 161 registrovanih, 11 sakrivenih i 1215 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 20624 - dana 04 Apr 2026 04:18

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Adaminho1985, ajo baba, aleph_one, arsa, babaroga, Barista, bb929, Boban0312, Boris90, Borski1977, bozzo27, brandža84, BraneS, BrcakRS, Burovnyak, C-Gun, carinko, ceman, cemix, Coabelgrade, Coficab, Ctrl x, cyprus, d.arsenal321, Darko7103, DeerHunter, dexteroza, djukapfc, dnevnasoba, dolinalima, DonRumataEstorski, DovlaODR, draganl, duro1990duro, Dzigy, Dzumanga, Gall, gasazem, Giskard, goran.vvv, hnjo, HrcAk47, Ivica1102, Jakonjveliki, Jezekijel, jmsk, Joint Chief, Jomini, Jovan.D, kaput21, kmnmada, Kobrim, krkalon, kybonacci, laurusri, Lazarus, luka35, lukac, M74AB3, Mackomen, Makarid, Marko Marković, Markobreee, marsi, marsovac 2, MaschinenPistole, Mastrum Ridkali, max power, MegaVLAdaR, mercedesamg, Mercury, MidnighT_AlieN, Mig 29, MiGac, Miki01, Miletić Zoran, milimoj, milos.cbr, mir, Miskinn, Mitrast, mm1811, moldway, mrm, Murko, narandzasti, nefs, neko_drugi, Neutral-M, neutrino, nextyamb, Niki2024, NklJov123, nnnnnnnnnn, omen, Pale2025, pceklic, Pegggio, Pero Petković, Piklik, Podljub, Prašinar, Prometeus, rambod, razumihin, rebro1974, repac, rikirubio, Romibrat, rovac, ruso, sale_bih, samocitam, samp1389, saputnik plavetnila, Sass Drake, savaskytec, savuni, Semberija, Shinobi, sistem22, siwoti, SK66, Skenderbeg, skvara, Smiljkovich, sova72, spektorsky, srecko81, Srna, stegonosa, strelac07, suponik, synergia, taomaster, Tas011, theBorer, TheDictator, tomigun, Tristan_Bantam, trpche, trutcina, TRZH92, tubular, tvlada, uruk, vazduh, vdeki, Veljko™, vladaa012, vladom6, VOŽD, Vrač, vuksa72, wolf1, Yekaterinburg, ZetaMan, zorzpapadubi, Zrcalo, šumar bk2, 800077