Provera loga

1

Provera loga

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Napisano: 01 Maj 2009 20:24

Na ovom racnaru je postojala infekcija koju su avira i superantispyware sredili ali i dalje je racunar spor. Pogledajte log i uputite me sta da radim dalje ukoliko jos nesto postoji. Hvala unapred

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:08 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = adobe.com/shockwave/download/triggerpages_mmcom/default.html
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\csellang32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7787 bytes

Dopuna: 01 Maj 2009 20:33

Gledajuci ostale topice downloadovala sam usbnorisk i skenirala flash, saljem log upravo. Ima necega tu Smile

USBNoRisk 2.1 by bobby

Started at 5/1/2009 8:28:43 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/1/2009 8:29:05 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
autorun.inf found on F:
----------------------------------------
File F:\autorun.inf renamed successfully

Content of F:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
F:\ej10fkdo.bat -r-hs 108855
----------------------------------------

Sanitized mountpoint for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...




Arrow Klikni desnim tasterom na Avira ikonicu ( ) u donjem, desnom uglu ekrana i deštikliraj AntiVir Guard Enable.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


Isključi i SUPERAntiSpyware (desni klik na ikonicu u tray-u, stavka Exit).


-------------------------------------------------------------------------------------



Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

ComboFix 09-05-01.1 - Natasa 05/01/2009 20:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.894.379 [GMT 2:00]
Running from: c:\documents and settings\Natasa\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 18:19 . 2009-05-01 18:19 -------- d-----w c:\program files\Trend Micro
2009-04-30 15:34 . 2007-03-15 17:17 183808 ----a-w C:\WgaLogon.dll
2009-04-27 13:30 . 2009-04-27 13:30 -------- d-----w c:\program files\Avira
2009-04-27 13:30 . 2009-04-27 13:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 12:42 . 2009-05-01 18:33 -------- d-----w C:\USBNoRisk
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-27 11:20 . 2009-04-27 12:55 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\documents and settings\Natasa\Application Data\SUPERAntiSpyware.com
2009-04-27 11:20 . 2009-04-27 11:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 13:33 . 2009-03-23 16:57 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-27 12:24 . 2007-06-23 18:45 -------- d-----w c:\program files\DAEMON Tools
2009-03-26 10:27 . 2009-03-26 10:28 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-26 10:27 . 2007-03-16 11:54 -------- d-----w c:\program files\Java
2009-03-22 19:57 . 2007-05-09 21:32 -------- d-----w c:\program files\LimeWire
2009-03-22 14:43 . 2008-01-13 16:52 -------- d-----w c:\program files\Soulseek
2009-03-21 11:59 . 2009-03-14 15:26 -------- d-----w c:\program files\Fish Tycoon
2009-03-19 23:11 . 2008-06-17 21:31 -------- d-----w c:\program files\MessengerDiscovery
2009-03-15 17:15 . 2009-03-15 17:15 -------- d-----w c:\program files\IVT Corporation
2009-03-15 14:49 . 2009-03-15 14:49 -------- d-----w c:\program files\GameInvest
2009-03-08 19:35 . 2009-03-07 17:22 -------- d-----w c:\program files\Garena
2009-03-07 12:05 . 2007-03-16 12:40 -------- d-----w c:\program files\ESET
2009-02-25 13:03 . 2009-02-25 13:03 82380 ----a-w c:\windows\system32\drivers\AFS2K.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-03-16 282624]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-06-05 231424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-06-28 16248320]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Natasa^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Natasa\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Natasa^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Natasa\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=

R3 GarenaPEngine;GarenaPEngine; [x]
R3 Unilocator;Unilocator;c:\windows\system32\locatrNT.exe [1996-09-29 120832]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\System32\Drivers\BtHidBus.sys [2008-01-21 21512]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-27 108289]
S2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-06-04 143467]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe /autorun
\Shell\dxinst\command - e:\directx\dxsetup.exe
\Shell\mplayer\command - e:\goodies\mplayer\mpmin.exe
\Shell\setup\command - E:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a24cb85-124c-11de-93fa-101111111111}]
\Shell\AutoRun\command - G:\uxkl0apt.bat
\Shell\open\Command - G:\uxkl0apt.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51b69c23-7bda-11dc-8e3f-001636dd4cfc}]
\Shell\AutoRun\command - F:\u.com
\Shell\open\Command - F:\u.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f24401a-e5c3-11db-8c90-001636dd4cfc}]
\Shell\AutoRun\command - F:\ej10fkdo.bat
\Shell\open\Command - F:\ej10fkdo.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac51dc6e-259b-11dd-90a3-001636dd4cfc}]
\Shell\AutoRun\command - F:\ej10fkdo.bat
\Shell\open\Command - F:\ej10fkdo.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acd38de6-27df-11dd-90ac-001636dd4cfc}]
\Shell\AutoRun\command - gg.exe 0o
\Shell\explore\Command - gg.exe 0e
\Shell\open\Command - gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9d51d79-966c-11dc-8e90-001636dd4cfc}]
\Shell\AutoRun\command - F:\i.com
\Shell\open\Command - F:\i.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef80ae9d-1cf1-11dc-8d4f-000c7648812c}]
\Shell\AutoRun\command - F:\jm3cx96.bat
\Shell\open\Command - F:\jm3cx96.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eff081af-0b0f-11de-93dd-001cea6aa68d}]
\Shell\AutoRun\command - F:\2fiy.bat
\Shell\open\Command - F:\2fiy.bat
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/shockwave/download/triggerpages_mmcom/default.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
TCP: {0B5CCDA0-80AA-4484-AF19-AD3F5D8B0A3A} = 192.168.0.1
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} - hxxps://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
FF - ProfilePath - c:\documents and settings\Natasa\Application Data\Mozilla\Firefox\Profiles\g2s5elmj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-05-01 20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\msi.dll
.
Completion time: 2009-05-01 20:58
ComboFix-quarantined-files.txt 2009-05-01 18:58
ComboFix2.txt 2009-04-27 12:51

Pre-Run: 8,243,580,928 bytes free
Post-Run: 8,304,533,504 bytes free

169

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Upload-uj sledeće file-ove:

c:\windows\system32\locatrNT.exe
C:\WgaLogon.dll


Upload link: http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Uradjeno, cekam dalje instukcije.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pokreni USBNoRisk, pređi na Script tab i tamo iskopiraj sve što se nalazi unutar kod polja:

{fa0d2711-d397-11db-9f4e-806d6172696f}
delete_blocked:

{744c7e28-7d00-11dd-91ed-001636dd4cfc}
delete: %DRIVE%ej10fkdo.bat
delete_blocked:



Priključi flash drive. Nakon desetak sekundi sačuvaj novi log (desni klik, Save log) i iskopiraj ga ovde.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

Napisano: 01 Maj 2009 21:57

USBNoRisk 2.1 by bobby

Started at 5/1/2009 9:54:11 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
fa0d2711-d397-11db-9f4e-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 2
----------------------------------------
Deleting blocked files:
----------------------------------------


New device connected at 5/1/2009 9:55:45 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
Blocked file found: F:\autorun.inf.blocked
----------------------------------------
Content of F:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

Files referenced from F:\autorun.inf.blocked
----------------------------------------
F:\ej10fkdo.bat -r-hs 108855
----------------------------------------

----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

Processing script
----------------------------------------
744c7e28-7d00-11dd-91ed-001636dd4cfc
Drive letter for GUID: F:
SectionStart = 3
SectionEnd = 5
File lock detected:
USBNoRisk cannot find what locked the file
Delete: F:\ej10fkdo.bat > Error!
----------------------------------------
Deleting blocked files:
----------------------------------------
Delete: F:\autorun.inf.blocked > Done!
----------------------------------------

========================================
Scan finished!
========================================

Dopuna: 01 Maj 2009 21:59

Kada je flash ubacen prvi put nije nista uradio pa sam uradila run script, ali kada sam drugi put ubacila flash skripta je odradjena.

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ok. Privremeno isključi antivirus i ponovi postupak sa sledećom skriptom:


{744c7e28-7d00-11dd-91ed-001636dd4cfc}
f_delete: %DRIVE%ej10fkdo.bat
delete: C:\autorun.inf.blocked



Postavi novi log.

offline
  • Pridružio: 01 Maj 2009
  • Poruke: 11

USBNoRisk 2.1 by bobby

Started at 5/1/2009 10:09:33 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {fa0d2711-d397-11db-9f4e-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

Blocked file found: C:\autorun.inf.blocked
----------------------------------------
Content of C:\autorun.inf.blocked
----------------------------------------
[AutoRun]
open=ej10fkdo.bat
shell\open\Command=ej10fkdo.bat
----------------------------------------

No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for fa0d2711-d397-11db-9f4e-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/1/2009 10:10:20 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {744c7e28-7d00-11dd-91ed-001636dd4cfc}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for 744c7e28-7d00-11dd-91ed-001636dd4cfc
----------------------------------------

No Desktop.ini files found on F:
----------------------------------------

No mimics found on drive F:
========================================

Processing script
----------------------------------------
744c7e28-7d00-11dd-91ed-001636dd4cfc
Drive letter for GUID: F:
SectionStart = 0
SectionEnd = 2
f_delete: delete file error: F:\ej10fkdo.bat, The handle is invalid.
Delete: C:\autorun.inf.blocked > Done!
----------------------------------------

========================================
Scan finished!
========================================

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Idemo još jednom. Skripta sledi:


{744c7e28-7d00-11dd-91ed-001636dd4cfc}
folder_list: %DRIVE%

Ko je trenutno na forumu
 

Ukupno su 991 korisnika na forumu :: 46 registrovanih, 10 sakrivenih i 935 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, _Sale, A.R.Chafee.Jr., babaroga, bobomicek, bojank, Brana01, Bubimir, cemix, DENIRO, Dimitrije Paunovic, dragoljub11987, Duh sa sekirom, dule10savic, Futog 74, Georgius, hyla, Još malo pa deda, kobaja77, kybonacci, Lieutenant, maiden6657, Metanoja, mgolub, MiG-29M2, milenko crazy north, Milometer, muaddib, Nemanja.M, nick79, Papadubi, pein, Regrut Boskica, Ripanjac, RJ, ruma, S2M, sap, Seeker, slonic_tonic, suton, VJ, wolf431, Zimbabwe, Žrnov, Čivi