trojanci

1

trojanci

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Zdravo, sa S-S&D sam otkrio da sam zarazen trojancima Delf i Hupigon 13. On ih ocisti ali se pri ponovnom restartovanju kompjutera ponovo jave. Kompjuter je usporen i trojanci mi blokiraju AV zastitu. Saljem HJT log fajl pa vidite sto se moze uraditi. Hvala


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:37 PM, on 27/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Windows\system32\svchost.exe
C:\Windows\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\nvsvc32.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Windows\system32\JupitCo.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\tHIS\THIS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = trazim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} (Persits Software XEncrypt) - banka.com.mk/Ctrls/Ctrls.cab
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: HTTP SSL HTTPFilterEventlog (HTTPFilterEventlog) - Unknown owner - C:\Windows\system32\ahuii.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Program Files\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Windows\LogWatNT.exe
O23 - Service: NetOp Helper ver. 7.50 (2002343) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\System32\nvsvc32.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 5472 bytes

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Klikni desnim tasterom miša na avast! ikonicu ( ) u donjem, desnom uglu ekrana i izaberi Stop OnAccess Protection.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.


Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Avast je bio blokiran i te ikonice nije bilo, pa sam izbrisao Avas sa Add remove programs. KOmpjuter mi nije na mrezi pa nemam bojaznosti od dodatnih zaraza. Evo log fajla
ComboFix 09-04-27.03 - Administrator 28/04/2009 11:25.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.16 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 07:38 . 2009-04-24 12:44 32 --s-a-w c:\windows\system32\345450611.dat
2009-04-22 07:38 . 2009-04-22 07:38 53248 --sh--r c:\windows\system32\ahuii.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:42 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 HTTPFilterEventlog;HTTP SSL HTTPFilterEventlog;c:\windows\system32\ahuii.exe [2009-04-22 53248]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
R2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-03 30464]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 11:31
ComboFix-quarantined-files.txt 2009-04-28 09:31
ComboFix2.txt 2009-04-28 06:59
ComboFix3.txt 2008-10-08 06:22

Pre-Run: 28,586,098,688 bytes free
Post-Run: 28,581,347,328 bytes free

181

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Zasto si vise puta pokretao Combofix?

Okaci mi ComboFix2.txt fajl koji se nalazi na rootu c particije.,...Ako ga nema tamo pogledaj u folderu Qoobox.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Kada sam prvi put pokrenuo dao mi je prazni log fajl pa sam ponovio postupak.
Evo ComboFix2 fajla

ComboFix 09-04-27.03 - Administrator 28/04/2009 8:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.15 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\file.exe
c:\windows\system32\digiwet.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 07:38 . 2009-04-24 12:44 32 --s-a-w c:\windows\system32\345450611.dat
2009-04-22 07:38 . 2009-04-22 07:38 53248 --sh--r c:\windows\system32\ahuii.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:42 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]
"Debugger"=ntsd -d

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 HTTPFilterEventlog;HTTP SSL HTTPFilterEventlog;c:\windows\system32\ahuii.exe [2009-04-22 53248]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
R2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2004-08-03 30464]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*Deregistered* - AClient
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - ClntMgmt
*Deregistered* - CPQALERT
*Deregistered* - CpqDfwWebAgent
*Deregistered* - cpqdiag
*Deregistered* - cpqdmi
*Deregistered* - cpqWebDmi
*Deregistered* - cq_mem
*Deregistered* - cqcpu
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - HTTPFilterEventlog
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LCRMS
*Deregistered* - LmHosts
*Deregistered* - LogWatch
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - MSSQLServer
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - NetOp Host for NT Service
*Deregistered* - NHOSTNT3
*Deregistered* - Nla
*Deregistered* - NMSCFG
*Deregistered* - NMSSvc
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - ppa3
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - WIN32SL
*Deregistered* - winmgmt
*Deregistered* - ws2_32sik
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Administrator - c:\documents and settings\Administrator\Administrator.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-28 08:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 8:59
ComboFix-quarantined-files.txt 2009-04-28 06:59
ComboFix2.txt 2008-10-08 06:22

Pre-Run: 27,927,445,504 bytes free
Post-Run: 28,583,133,184 bytes free

301

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\windows\system32\drivers\ws2_32sik.sys
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe 

Driver::
ws2_32sik
HTTPFilterEventlog

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a2service.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ArcaCheck.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\arcavir.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashDisp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashEnhcd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashServ.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ashUpd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\aswUpdSv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcls.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz4.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avz_se.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdinit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caav.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\caavguiscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ccupdate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\casecuritycenter.exe] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cfpupdat.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cmdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DRWEB32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FAMEH32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPAVServer.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fpscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FPWin.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsav32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\fsgk32st.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\FSMA32.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxservice.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\guardxup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\navigator.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NAVSTUB.EXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Nvcc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\outpost.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\preupd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\pskdr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SfFnUp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Vba32arkit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vba32ldr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zanda.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zapro.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Zlh.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zoneband.dll]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Napisano: 29 Apr 2009 11:18

uradjeno


ComboFix 09-04-27.03 - Administrator 29/04/2009 11:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.18 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HTTPFILTEREVENTLOG
-------\Legacy_WS2_32SIK
-------\Service_HTTPFilterEventlog
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 09:09 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-29 11:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\compaq\ACLIENT\AClient.exe
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~2\Cpqdmi.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2009-04-29 11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:12
ComboFix2.txt 2009-04-28 09:31
ComboFix3.txt 2009-04-28 06:59
ComboFix4.txt 2008-10-08 06:22

Pre-Run: 28,560,748,544 bytes free
Post-Run: 28,531,003,392 bytes free

120

Dopuna: 29 Apr 2009 11:19

uradjeno


ComboFix 09-04-27.03 - Administrator 29/04/2009 11:04.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.389.1033.18.127.18 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\345450611.dat
c:\windows\system32\ahuii.exe
c:\windows\system32\drivers\ws2_32sik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HTTPFILTEREVENTLOG
-------\Legacy_WS2_32SIK
-------\Service_HTTPFilterEventlog
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-01-04 16:38 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 10:40 . 2009-01-04 16:38 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 10:40 . 2009-04-24 10:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 07:13 . 2009-04-23 07:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-23 07:13 . 2009-04-23 07:21 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 09:09 . 2005-12-14 11:53 -------- d-----w c:\program files\Microsoft AntiSpyware
2009-04-27 10:33 . 2008-10-01 12:01 -------- d-----w c:\program files\Trend Micro
2009-04-27 06:19 . 2006-01-06 12:24 -------- d-----w c:\program files\Pozaren pridones
2009-04-23 12:15 . 2006-09-29 06:04 -------- d-----w c:\program files\Cistacki
2009-04-06 07:02 . 2008-01-31 06:56 -------- d-----w c:\program files\Honorarci
2009-04-03 07:31 . 2006-02-14 06:48 -------- d-----w c:\program files\Provizija
2009-04-03 07:21 . 2002-09-12 10:59 -------- d-----w c:\program files\Virmani
2009-03-26 12:04 . 2008-01-25 08:14 -------- d-----w c:\program files\Hrana
2009-03-25 13:46 . 2008-01-28 11:06 -------- d-----w c:\program files\Prevoz
2002-09-12 10:31 . 2002-09-12 10:59 7510 ----a-w c:\program files\ST6UNST.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cpqek"="c:\program files\Compaq\Compaq EAB Software\cpqek.exe" [2001-09-12 73728]
"ChkAdmin"="c:\progra~1\Compaq\COMPAQ~2\CHKADMIN.EXE" [2001-12-03 81920]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"USB SECURITY DEVICE CoInstaller"="JupitCo.exe" - c:\windows\system32\JupitCo.exe [2002-03-14 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 NHostNT1;NetOp Driver 1 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT1.SYS [2002-12-09 54032]
R2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\DRIVERS\JUPITER.sys [2002-03-19 9312]
S1 ClntMgmt;Compaq Client Management Driver;c:\windows\system32\Drivers\ClntMgmt.sys [2001-11-29 53926]
S2 CpqDfwWebAgent;Compaq Remote Diagnostics Enabling Agent;c:\windows\Cpqdiag\Cpqdfwag.exe [2001-11-19 212992]
S2 cpqdiag;Compaq Diagnostics Driver;c:\windows\System32\drivers\cpqdiag.sys [2001-06-20 41344]
S2 cpqWebDmi;Compaq DMI Web Agent;c:\progra~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe [2001-12-03 24576]
S2 LCRMS;Insight Manager LC Remote Management;c:\program files\Compaq\LCRMS\LCRMS.EXE [2000-05-23 376881]
S2 LogWatch;Event Log Watch;c:\windows\LogWatNT.exe [2000-06-08 50176]
S2 NetOp Host for NT Service;NetOp Helper ver. 7.50 (2002343);c:\program files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE [2002-12-09 1085712]
S3 NHOSTNT3;NetOp Driver 3 ver. 7.50 (2002343);c:\windows\System32\Drivers\NHOSTNT3.SYS [2002-12-09 3216]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5964c399-fb12-11dc-af9f-00080214b5d4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe nar.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.trazim.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F9463571-87CB-4A90-A1AC-2284B7F5AF4E} - hxxps://www.banka.com.mk/Ctrls/Ctrls.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-29 11:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\compaq\ACLIENT\AClient.exe
c:\program files\COMPAQ\Compaq Management Agents\Cpqalert.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\COMPAQ\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
c:\progra~1\COMPAQ\COMPAQ~2\Cpqdmi.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2009-04-29 11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 09:12
ComboFix2.txt 2009-04-28 09:31
ComboFix3.txt 2009-04-28 06:59
ComboFix4.txt 2008-10-08 06:22

Pre-Run: 28,560,748,544 bytes free
Post-Run: 28,531,003,392 bytes free

120

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Kakvo je sad stanje?

Uradi jos i ovo cisto da vidimo da nije usb koji posedujes isto zarazen.. posto se vide tragovi nekog crva u logu.

- Preuzmi USBNoRisk na Desktop i pokreni ga duplim klikom na ikonicu programa.
- Sacekaj koji sekund dok program izvrsi inicijalno skeniranje.
- Ubacuj sve USB memorijske uredjaje redom u USB slot i svaki zadrzi u slotu po 10 sekundi.
- Ukoliko imas vise uredjaja za proveru, onda na parcetu papira zapisi kojim redom su ubacivani jer ce nam kasnije trebati taj podatak
- Kada zavrsis sa svim uredjajima, klikni desno dugme misa na sred prozora programa i odaberi opciju Save log. To ce automatski otvoriti log u Notepadu. Iskopiraj nam taj log iz Notepada na forum.

Objasnjenje: U USB memorijske uredjaje spadaju svi oni uredjaji koji po prikljucivanju na kompjuter dobijaju svoju oznaku particije. Tu spadaju USB flash drajvovi, eksterni hard-diskovi, memorijske kartice, MP3 i MP4 plejeri, neki mobilni telefoni, neki GPS (navigacioni) uredjaji itd.

offline
  • Pridružio: 23 Okt 2007
  • Poruke: 49

Stanje je sada super, zasad sve funkcionira, cak je CD drive poceo da cita. Uspesno sam instalirao i AV i on radi.
Evo log fajla za 2 USB memoriske kartice

USBNoRisk 2.1 by bobby

Started at 30/04/2009 12:06:19 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {d97ce59e-deb9-11db-ae87-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for d97ce59e-deb9-11db-ae87-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 30/04/2009 12:06:32 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {599ae974-7a4f-11dd-b013-00080214b5d4}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for 599ae974-7a4f-11dd-b013-00080214b5d4
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================

========================================
Removed E:
========================================


New device connected at 30/04/2009 12:07:10 PM

Scanning for connected USB mass storage...
----------------------------------------
E: {aab2e3fe-356e-11de-b0ef-00080214b5d4}
Added E:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on E:
----------------------------------------
No Autorun.inf files found on E:
No mountpoint found for aab2e3fe-356e-11de-b0ef-00080214b5d4
----------------------------------------

No Desktop.ini files found on E:
----------------------------------------

No mimics found on drive E:
========================================

offline
  • diarno  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 15 Jun 2007
  • Poruke: 5572

Ok.. to je to.. kucaj u run : Combofix /u

Ko je trenutno na forumu
 

Ukupno su 1053 korisnika na forumu :: 50 registrovanih, 9 sakrivenih i 994 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., arsa, Ben Roj, brundo65, dankisha, darkangel, Dimitrise93, djboj, Djokislav, Doca, DonRumataEstorski, Dorcolac, dragoljub11987, DragoslavS, Fog of War, Frunze, Georgius, glada, ikan, kljift, Krusarac, kunktator, kybonacci, ljuba, lord sir giga, LUDI, Luka Blažević, Marko.anticc, marsovac 2, mercedesamg, milenko crazy north, nebkv, nemkea71, Neretva, Parker, Romibrat, savaskytec, Shinobi, slonic_tonic, Smajser, Srky Boy, Steeeefan, Stoilkovic, tmanda323, uruk, Vatreni Zmaj, VJ, Vlad000, zixmix, zlaya011