Nikako da se otarasim virusa!!!

1

Nikako da se otarasim virusa!!!

offline
  • Pridružio: 21 Okt 2007
  • Poruke: 10

Evo ovako prvo bih zeleo da opisem problem pa cu onda postaviti logfile sa Hijack-a. Naime klikom na link u Google pretrazi ( u pitanju je neki domaci forum, nije poirnografskog sadrzaja ili nista slicno) posle nekih 3,4 sec pojavio mi se tzv. program MS antispyware 2009. Sto je najgore od svega nije u pitanju klasican pop-up prozor vec kao da je u pitanju vec instaliran program. Moram napomenuti da pre toga nisam kliktao ni na kakve reklame tj. nisam kliknuo na bilo sta. U isto vreme i Symantecov Corporate Edition antivirus je otkrio nekoliko trojanaca i downloadera. Te viruse sto je otkrio sam izbrisao iz karantina a ovaj Ms antispyware sam zatvorio klikom na x jer iako sam znao da to nije moj program nisam znao kako drugacije da ga zatvorim. Moram napomenuti da se je p[rogram izgledao bas kao neki pravi jer kad se nadnese kuyrsor nad njega nije bilo pojvljuvanja one rucice umesto strelice kao kod klasicnih prevara. E sad nakon svega toga kad sam sve to pobrisao tj skenirao sa Symantecom i Malwarebytes-om meni je nastavio konstantno da se pojavljuje sledeci virus na datoj lokaciji: C:\windows\temp\vrt3.tmp. U pitanju je kako Symantec tvrdi ddownloader virus. Takodje bih napomenuo da nije uvek vrt3.tmp vec nekad bude i vrt1.tmp, vrt1b.tmp itd. Antivirus ih uvek uredno posalje u karantin i ja ih izbrisem ali se opet konstantno pojavljuju. Moram napomenuti i da mi je internet dosta usporen kao i da mi je par programa unisteno tipa: Nero, BSplayer itd. Sa antimalware-om kad god da skeniram on ne nadje nista.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:24 PM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Matlab6.5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Desktop\program1\tr3.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Windows Live Messenger - {B8E99280-3C35-4d50-8595-BDD33A756A4B} - %Programfiles%\Windows Live\Messenger\msnmsgr.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Live Messenger - {B8E99280-3C35-4d50-8595-BDD33A756A4B} - %Programfiles%\Windows Live\Messenger\msnmsgr.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Msn - {7C4A8DBF-AF4B-4F7C-B4A8-9D27D1938AB6} - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V.....3646140312
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1AD9E36-13B6-4167-BAF2-4B3722C80D80}: NameServer = 77.105.0.18 77.105.0.19
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Matlab6.5\webserver\bin\win32\matlabserver.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6109 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...





Arrow Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 21 Okt 2007
  • Poruke: 10

Uradio sam to kao sto ste mi rekli ali ne mogu da otvorim nikako taj program uvek mi se pojavi prozorcic: An error has occured(debug,don't send. send report). Probao sam i da preimenujem gmer.exe u neko drugo ime ali ne vredi.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Privremeno isključi zaštitni softver (AV i Ad-Watch).



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 21 Okt 2007
  • Poruke: 10

Evo ga log sa Combofix-a:


ComboFix 09-02-02.04 - Administrator 2009-02-03 18:16:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.920 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 17:48 . 2009-02-03 17:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-03 17:48 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 12:58 . 2009-02-03 12:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\MathWorks
2009-02-03 12:30 . 2009-02-03 13:01 67 --a------ c:\windows\wininit.ini
2009-02-02 22:44 . 2001-07-06 13:41 569,344 -ra------ c:\windows\system32\imagr5.dll
2009-02-02 22:44 . 2001-07-06 11:44 544,768 -ra------ c:\windows\system32\imagx5.dll
2009-02-02 22:44 . 2001-07-06 17:24 283,920 -ra------ c:\windows\system32\ImagXpr5.dll
2009-02-02 22:44 . 2001-06-26 07:15 38,912 -ra------ c:\windows\system32\picn20.dll
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\DVDVideoSoft
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
2009-01-04 14:49 . 2009-01-04 14:49 <DIR> d-------- c:\windows\Logs
2009-01-04 14:25 . 2009-01-04 14:25 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 16:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 16:48 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-03 13:25 --------- d-----w c:\program files\Garena
2009-02-03 12:57 --------- d-----w c:\program files\SpeedFan
2009-02-03 11:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 11:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-02 22:25 --------- d-----w c:\program files\eMule
2009-02-02 22:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 21:31 --------- d-----w c:\documents and settings\Administrator\Application Data\Hamachi
2009-02-02 21:30 --------- d-----w c:\program files\DC++
2009-02-02 17:00 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 12:38 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-02 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 18:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-20 18:03 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
.

------- Sigcheck -------

2004-08-03 23:56 31744 4b8c55de39cea0f0a2012ed3bb0b8bcd c:\windows\system32\svchost.exe
2004-08-03 23:56 31744 9d06b037cc365b998e9ab0c8e4847a98 c:\windows\system32\dllcache\svchost.exe

2004-08-03 23:56 1049600 702761872c9f7b8835f59bd88c9d95bf c:\windows\explorer.exe
2004-08-03 23:56 1049600 9bf6efc6cc173eabb12d272a8580b73f c:\windows\system32\dllcache\explorer.exe

2004-08-03 23:56 32768 f7cd1208692a3545304d1b6d538536bf c:\windows\system32\ctfmon.exe
2004-08-03 23:56 32768 274a8ac596b23b25e1130a8637b1af2b c:\windows\system32\dllcache\ctfmon.exe

2004-08-03 23:56 75264 1ef1b34ae2bebf5336c456d6f42e5e97 c:\windows\system32\spoolsv.exe
2004-08-03 23:56 75264 836cda57880ed906ee9ac9d1cbb03787 c:\windows\system32\dllcache\spoolsv.exe

2004-08-03 23:56 41984 ecfd71a23183951ca81fd5ec2eac58b0 c:\windows\system32\userinit.exe
2004-08-03 23:56 41984 b176a7ade4f4777d70cb0976ac6bc8f7 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D_V_T"="c:\\dvt.exe" [2006-10-26 20992]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 98304]
"CnxDslTaskBar"="c:\program files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2003-10-29 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-26 131072]
Remote Control.lnk - c:\program files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe [2006-12-10 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 15:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-08-04 00:06 1684992 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 01:05 221184 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quick TV Agent]
--a------ 2004-10-11 10:46 757760 c:\program files\Quick TV Multimedia\Quick TV\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 53248 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-09 20:08 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-03 23:56 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"f:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"e:\\Program Files\\Counter Strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13484:TCP"= 13484:TCP:NortonAV

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-07-31 20616]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2006-12-10 672128]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [2008-03-06 60288]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [2008-03-06 646784]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [2008-03-06 108675]
S3 Adpcsemter;Adpcsemter; [x]
S3 CCCP106;TRUST 120 SPACEC@M;c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-07-02 26248]
S3 Lmhtcdrmvww;Lmhtcdrmvww; [x]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]
S3 Ultd9myedscm;Ultd9myedscm; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{328f5bfd-8479-11dc-96e5-001731864492}]
\Shell\AutoRun\command - g:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
\Shell\open\command - g:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AAWTray - c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe
HKU-Default-Run-phcmqnbx.exe - c:\windows\phcmqnbx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{B8E99280-3C35-4d50-8595-BDD33A756A4B} - %Programfiles%\Windows Live\Messenger\msnmsgr.exe
TCP: {D1AD9E36-13B6-4167-BAF2-4B3722C80D80} = 77.105.0.18 77.105.0.19
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0x4xz9q8.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-03 18:17:58
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

c:\documents and settings\Administrator\douaqgw.exe [1540] 0x88E00A00

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a0,75,4f,03,1a,04,6d,79,87,8b,db,56,5d,b6,24,e9,d6,43,e3,e5,d2,df,46,
84,ef,63,55,6f,4e,b3,45,91,64,fe,e6,f3,6d,38,5c,77,3a,8c,13,0f,02,83,9c,d1,\
"??"=hex:4e,d1,d0,ab,46,e1,f6,79,5d,56,aa,64,c2,f3,b2,ed
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-03 18:19:55
ComboFix-quarantined-files.txt 2009-02-03 17:19:53

Pre-Run: 5,205,680,128 bytes free
Post-Run: 5,193,158,656 bytes free

174

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upload-uj sledeće file-ove:


c:\windows\system32\svchost.exe
c:\windows\system32\userinit.exe


Upload link: http://www.mycity.rs/ambulanta-upload.php



-------------------------------------------------------------------------------------



Arrow Otvoriti Notepad i iskopirati sledeci tekst:

Rootkit::
c:\documents and settings\Administrator\douaqgw.exe

Driver::
Adpcsemter
Lmhtcdrmvww
Ultd9myedscm

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13484:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G\Shell]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{328f5bfd-8479-11dc-96e5-001731864492}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.




-------------------------------------------------------------------------------------



Arrow Preuzmi program RootRepeal na Desktop.

Raspakuj RootRepeal.zip u neki folder.
Dvoklikom pokreni RootRepeal.exe.
Pređi na Report karticu (klikom na Report taster, dole, desno).
Klikni Scan taster.
U prozoru koji se otvori (Select Scan), obeleži kućice ispred svih stavki i klikni OK.
U narednom prozoru (Select Drives) obeleži kućicu ispred sistemskog diska (obično C:\) i klikni OK.
Po završetku procesa, klikni Save Report i sačuvaj izveštaj o skeniranju.



Priloži izveštaj uz poruku korišćenjem opcije Prikači fajl.

offline
  • Pridružio: 21 Okt 2007
  • Poruke: 10

Uploadovao sam trazene fajlove.
Sto se tice skeniranja sa Rootrepeal, kad kliknem na scan pojavi mi se plavi prozor gde pise : windows has detected a problem... i pise kao da je to zbog rootrepeal.sys fajla. Probao sam par puta da skeniram ali uvek isto. To mi se jednom desilo i prilikom skeniranja sa Combofixom.

Evo ga log
ComboFix 09-02-02.04 - Administrator 2009-02-03 19:28:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.928 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\services.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 18:30 . 33,920 c:\windows\system32\drivers\pautpieg.sys
2009-02-03 18:20 . 2009-02-03 19:23 130 --a------ c:\windows\adobe.bat
2009-02-03 18:20 . 2009-02-03 18:20 5 --a------ c:\windows\_id.dat
2009-02-03 18:19 . 66,560 c:\windows\system32\secupdat.dat
2009-02-03 18:19 . 2009-02-03 18:19 32,768 --ah----- c:\documents and settings\Administrator\douaqgw.exe
2009-02-03 17:48 . 2009-02-03 17:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-03 17:48 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 12:58 . 2009-02-03 12:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\MathWorks
2009-02-03 12:30 . 2009-02-03 13:01 67 --a------ c:\windows\wininit.ini
2009-02-02 22:44 . 2001-07-06 13:41 569,344 -ra------ c:\windows\system32\imagr5.dll
2009-02-02 22:44 . 2001-07-06 11:44 544,768 -ra------ c:\windows\system32\imagx5.dll
2009-02-02 22:44 . 2001-07-06 17:24 283,920 -ra------ c:\windows\system32\ImagXpr5.dll
2009-02-02 22:44 . 2001-06-26 07:15 38,912 -ra------ c:\windows\system32\picn20.dll
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\DVDVideoSoft
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
2009-01-04 14:49 . 2009-01-04 14:49 <DIR> d-------- c:\windows\Logs
2009-01-04 14:25 . 2009-01-04 14:25 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 16:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 16:48 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-03 13:25 --------- d-----w c:\program files\Garena
2009-02-03 12:57 --------- d-----w c:\program files\SpeedFan
2009-02-03 11:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 11:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-02 22:25 --------- d-----w c:\program files\eMule
2009-02-02 22:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 21:31 --------- d-----w c:\documents and settings\Administrator\Application Data\Hamachi
2009-02-02 21:30 --------- d-----w c:\program files\DC++
2009-02-02 17:00 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 12:38 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-02 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 18:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-20 18:03 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
.

------- Sigcheck -------

2004-08-03 23:56 31744 4b8c55de39cea0f0a2012ed3bb0b8bcd c:\windows\system32\svchost.exe
2004-08-03 23:56 31744 9d06b037cc365b998e9ab0c8e4847a98 c:\windows\system32\dllcache\svchost.exe

2004-08-03 23:56 1049600 702761872c9f7b8835f59bd88c9d95bf c:\windows\explorer.exe
2004-08-03 23:56 1049600 9bf6efc6cc173eabb12d272a8580b73f c:\windows\system32\dllcache\explorer.exe

2004-08-03 23:56 32768 f7cd1208692a3545304d1b6d538536bf c:\windows\system32\ctfmon.exe
2004-08-03 23:56 32768 274a8ac596b23b25e1130a8637b1af2b c:\windows\system32\dllcache\ctfmon.exe

2004-08-03 23:56 75264 1ef1b34ae2bebf5336c456d6f42e5e97 c:\windows\system32\spoolsv.exe
2004-08-03 23:56 75264 836cda57880ed906ee9ac9d1cbb03787 c:\windows\system32\dllcache\spoolsv.exe

2004-08-03 23:56 41984 ecfd71a23183951ca81fd5ec2eac58b0 c:\windows\system32\userinit.exe
2004-08-03 23:56 41984 b176a7ade4f4777d70cb0976ac6bc8f7 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-02-03_18.18.35.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-03 15:51:36 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-03 18:19:15 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-03 15:51:36 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-03 18:19:15 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-03 15:51:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-03 18:19:15 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D_V_T"="c:\\dvt.exe" [2006-10-26 20992]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 98304]
"CnxDslTaskBar"="c:\program files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2003-10-29 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [BU]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-26 131072]
Remote Control.lnk - c:\program files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe [2006-12-10 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pautpieg.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 15:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-08-04 00:06 1684992 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 01:05 221184 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quick TV Agent]
--a------ 2004-10-11 10:46 757760 c:\program files\Quick TV Multimedia\Quick TV\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 53248 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-09 20:08 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-03 23:56 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"f:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"e:\\Program Files\\Counter Strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13484:TCP"= 13484:TCP:NortonAV

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-07-31 20616]
R0 pautpieg;pautpieg;c:\windows\system32\Drivers\pautpieg.sys --> c:\windows\system32\Drivers\pautpieg.sys [?]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2006-12-10 672128]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [2008-03-06 60288]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [2008-03-06 646784]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [2008-03-06 108675]
S3 Adpcsemter;Adpcsemter; [x]
S3 CCCP106;TRUST 120 SPACEC@M;c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-07-02 26248]
S3 Lmhtcdrmvww;Lmhtcdrmvww; [x]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]
S3 Ultd9myedscm;Ultd9myedscm; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{328f5bfd-8479-11dc-96e5-001731864492}]
\Shell\AutoRun\command - g:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
\Shell\open\command - g:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-services - c:\windows\services.exe
HKU-Default-Run-services - c:\windows\services.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKCU-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{B8E99280-3C35-4d50-8595-BDD33A756A4B} - %Programfiles%\Windows Live\Messenger\msnmsgr.exe
TCP: {D1AD9E36-13B6-4167-BAF2-4B3722C80D80} = 77.105.0.19 77.105.0.18
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\[u]0[/u]x4xz9q8.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-03 19:30:39
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a0,75,4f,03,1a,04,6d,79,87,8b,db,56,5d,b6,24,e9,d6,43,e3,e5,d2,df,46,
84,ef,63,55,6f,4e,b3,45,91,64,fe,e6,f3,6d,38,5c,77,3a,8c,13,0f,02,83,9c,d1,\
"??"=hex:4e,d1,d0,ab,46,e1,f6,79,5d,56,aa,64,c2,f3,b2,ed
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-03 19:32:39
ComboFix-quarantined-files.txt 2009-02-03 18:32:36
ComboFix2.txt 2009-02-03 17:19:57

Pre-Run: 5,173,211,136 bytes free
Post-Run: 5,162,074,112 bytes free

196

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Odmah da ti kažem da bi ovde mogli imati veliki problem - ona dva file-a koja si poslao su izgleda inficirani virusom (a u tom slučaju nećemo daleko stići).

Proverićemo to kad odradimo ovo što se može odraditi.


Što se tiče prethodnog postupka sa ComboFix-om... Nešto nije bilo odrađeno kako treba.

Ponovićemo samo sa drugom skriptom. Znači, potrebno je da iskopiraš sve što se nalazi unutar Kod polja u Notepad i to snimiš pod nazivom CFScript.




Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\pautpieg.sys
c:\windows\adobe.bat
c:\windows\_id.dat
c:\windows\system32\secupdat.dat
c:\documents and settings\Administrator\douaqgw.exe

Driver::
pautpieg
Adpcsemter
Lmhtcdrmvww
Ultd9myedscm

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pautpieg.sys]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13484:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G\Shell]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{328f5bfd-8479-11dc-96e5-001731864492}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Okt 2007
  • Poruke: 10

Evo napravio sam i taj log. Moram napomenuti da mi se jos uvek pojavljuje konstantno virus u lokaciji pomenutoj u prvom postu.
U krajnjoj liniji ako nista ne moze da se uradi uradio bih format c, nadam se da bi to bilo dovoljno. Zanima me da li bih trebao preci na neki drugi antivirus s obzirom da se ova Symantec i nije bas proslavio sad s ovim. Unapred zahvalan

ComboFix 09-02-02.04 - Administrator 2009-02-03 21:54:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.930 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Administrator\douaqgw.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\system32\drivers\pautpieg.sys
c:\windows\system32\secupdat.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\douaqgw.exe
c:\windows\_id.dat
c:\windows\adobe.bat
c:\windows\system32\drivers\pautpieg.sys
c:\windows\system32\secupdat.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADPCSEMTER
-------\Legacy_LMHTCDRMVWW
-------\Legacy_PAUTPIEG
-------\Service_Adpcsemter
-------\Service_Lmhtcdrmvww
-------\Service_pautpieg
-------\Service_Ultd9myedscm


((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 17:48 . 2009-02-03 17:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-03 17:48 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 15:08 . 2009-02-03 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 12:58 . 2009-02-03 12:58 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\MathWorks
2009-02-03 12:30 . 2009-02-03 13:01 67 --a------ c:\windows\wininit.ini
2009-02-02 22:44 . 2001-07-06 13:41 569,344 -ra------ c:\windows\system32\imagr5.dll
2009-02-02 22:44 . 2001-07-06 11:44 544,768 -ra------ c:\windows\system32\imagx5.dll
2009-02-02 22:44 . 2001-07-06 17:24 283,920 -ra------ c:\windows\system32\ImagXpr5.dll
2009-02-02 22:44 . 2001-06-26 07:15 38,912 -ra------ c:\windows\system32\picn20.dll
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\DVDVideoSoft
2009-01-20 21:15 . 2009-01-20 21:15 <DIR> d-------- c:\program files\Common Files\DVDVideoSoft
2009-01-04 14:49 . 2009-01-04 14:49 <DIR> d-------- c:\windows\Logs
2009-01-04 14:25 . 2009-01-04 14:25 <DIR> d--hs---- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 16:58 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 16:48 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-03 13:25 --------- d-----w c:\program files\Garena
2009-02-03 12:57 --------- d-----w c:\program files\SpeedFan
2009-02-03 11:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 11:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-02 22:25 --------- d-----w c:\program files\eMule
2009-02-02 22:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 21:31 --------- d-----w c:\documents and settings\Administrator\Application Data\Hamachi
2009-02-02 21:30 --------- d-----w c:\program files\DC++
2009-02-02 17:00 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-05 12:38 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-02 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 18:53 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-20 18:03 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
.

------- Sigcheck -------

2004-08-03 23:56 31744 4b8c55de39cea0f0a2012ed3bb0b8bcd c:\windows\system32\svchost.exe
2004-08-03 23:56 31744 9d06b037cc365b998e9ab0c8e4847a98 c:\windows\system32\dllcache\svchost.exe

2004-08-03 23:56 1049600 702761872c9f7b8835f59bd88c9d95bf c:\windows\explorer.exe
2004-08-03 23:56 1049600 9bf6efc6cc173eabb12d272a8580b73f c:\windows\system32\dllcache\explorer.exe

2004-08-03 23:56 32768 f7cd1208692a3545304d1b6d538536bf c:\windows\system32\ctfmon.exe
2004-08-03 23:56 32768 274a8ac596b23b25e1130a8637b1af2b c:\windows\system32\dllcache\ctfmon.exe

2004-08-03 23:56 75264 1ef1b34ae2bebf5336c456d6f42e5e97 c:\windows\system32\spoolsv.exe
2004-08-03 23:56 75264 836cda57880ed906ee9ac9d1cbb03787 c:\windows\system32\dllcache\spoolsv.exe

2004-08-03 23:56 41984 ecfd71a23183951ca81fd5ec2eac58b0 c:\windows\system32\userinit.exe
2004-08-03 23:56 41984 b176a7ade4f4777d70cb0976ac6bc8f7 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-02-03_18.18.35.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 184,320 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-03 15:51:36 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-03 20:58:18 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-03 15:51:36 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-03 20:58:18 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-03 15:51:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-03 20:58:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D_V_T"="c:\\dvt.exe" [2006-10-26 20992]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 98304]
"CnxDslTaskBar"="c:\program files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2003-10-29 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AAWTray"="c:\program files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [BU]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-26 131072]
Remote Control.lnk - c:\program files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe [2006-12-10 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 15:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-08-04 00:06 1684992 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 01:05 221184 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quick TV Agent]
--a------ 2004-10-11 10:46 757760 c:\program files\Quick TV Multimedia\Quick TV\Scheduled.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 20:24 53248 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-09 20:08 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-03 23:56 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"f:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"e:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"e:\\Program Files\\Counter Strike\\hl.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-07-31 20616]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2006-12-10 672128]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [2008-03-06 60288]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [2008-03-06 646784]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [2008-03-06 108675]
S3 CCCP106;TRUST 120 SPACEC@M;c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-07-02 26248]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [2007-10-12 55808]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{B8E99280-3C35-4d50-8595-BDD33A756A4B} - %Programfiles%\Windows Live\Messenger\msnmsgr.exe
TCP: {D1AD9E36-13B6-4167-BAF2-4B3722C80D80} = 77.105.0.18 77.105.0.19
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\[u]0[/u]x4xz9q8.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-02-03 21:59:37
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a0,75,4f,03,1a,04,6d,79,87,8b,db,56,5d,b6,24,e9,d6,43,e3,e5,d2,df,46,
84,ef,63,55,6f,4e,b3,45,91,64,fe,e6,f3,6d,38,5c,77,3a,8c,13,0f,02,83,9c,d1,\
"??"=hex:4e,d1,d0,ab,46,e1,f6,79,5d,56,aa,64,c2,f3,b2,ed
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828-)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
c:\matlab6.5\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\matlab6.5\bin\win32\matlab.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-02-03 22:02:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 21:02:05
ComboFix2.txt 2009-02-03 18:32:40
ComboFix3.txt 2009-02-03 17:19:57

Pre-Run: 5,139,439,616 bytes free
Post-Run: 5,053,153,280 bytes free

207

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Probaj sada da odradiš skeniranje Gmer-om ili RootRepeal-om.

Dopuna: 03 Feb 2009 22:44

Pošto ću ja ubrzo na spavanje, evo i daljeg uputstva, da ne gubimo vreme.

Nakon što si odradio ono gore (ukoliko bude radio neki od programa), odradi i online skeniranje:

http://www.eset.com/onlinescan/



Log skeniranja će biti sačuvan kao: C:\Program Files\EsetOnlineScanner\log.txt

Iskopiraj ga ovde.

Ko je trenutno na forumu
 

Ukupno su 1345 korisnika na forumu :: 46 registrovanih, 4 sakrivenih i 1295 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, A.R.Chafee.Jr., ajo baba, Andrija357, Areal84, bagor10, Brana01, bufanje, darkangel, DonRumataEstorski, Dorcolac, DPera, draganl, drimer, FileFinder, gasha, ikan, jackreacher011011, janbo, Karla, kikisp, Krvava Devetka, kuntalo, kybonacci, ljuba, Mcdado, mercedesamg, Milos ZA, milutin134, naki011, nextyamb, Pakito93, panzerwaffe, pein, raptorsi, Romibrat, skvara, Srle993, suton, Trpe Grozni, Vlada78, wolf431, YugoSlav, zbazin, zlaya011, Zoca