76 virusa

2

76 virusa

offline
  • Pridružio: 14 Avg 2010
  • Poruke: 185

Napisano: 10 Okt 2010 0:24

evo opet:


ComboFix 10-10-09.03 - Violeta 10.2010 г. 1:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.359.1033.18.382.105 [GMT 3:00]
Running from: c:\documents and settings\Violeta\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
.

2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_dllcache(2).bak
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_drivers(2).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_dllcache(1).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_drivers(1).bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_dllcache.bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_drivers.bak
2010-10-09 21:15 . 2010-10-09 21:14 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-10-08 19:23 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 19:23 . 2010-10-08 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 19:23 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:01 . 2010-10-08 18:01 -------- d-----w- c:\documents and settings\Violeta\Local Settings\Application Data\Mozilla
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\Violeta\Application Data\Malwarebytes
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 08:47 . 2010-09-28 08:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2004-08-04 . F6122644E583AB757CC906493397687B . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 8298A792898A05625DEE9AD16C355132 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2010-09-25 . 1109F551183AF08358890BABA239CD9C . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[-] 2010-09-23 . 6ADEF6D995FCB0E64F5EA1B8FB08029F . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-09_20.23.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-09 21:41 . 2010-10-09 21:41 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="e:\bitcomet\BitComet.exe" [2009-07-31 2674488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-31 16248320]
"SkyTel"="SkyTel.EXE" [2009-08-31 2879488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-31 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-23 487424]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 22:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 22:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26540:TCP"= 26540:TCP:BitComet 26540 TCP
"26540:UDP"= 26540:UDP:BitComet 26540 UDP

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08.10.2010 г. 22:23 304464]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [23.1.2010 г. 09:12 330240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08.10.2010 г. 22:23 20952]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.5.2010 г. 00:30 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [31.8.2009 г. 12:57 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]

2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - e:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Violeta\Application Data\Mozilla\Firefox\Profiles\tnz6ho4j.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: e:\divx\DivX Player\npDivxPlayerPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-10 01:21:43
ComboFix-quarantined-files.txt 2010-10-09 22:21
ComboFix2.txt 2010-10-09 20:25
ComboFix3.txt 2010-10-09 17:14

Pre-Run: 341 995 520 bytes free
Post-Run: 332 193 792 bytes free

- - End Of File - - 96A68A78FDCB6A1C6503B2E2599BA916

Dopuna: 10 Okt 2010 14:45

oba fajla su uploadovana.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Otvoriti Notepad i iskopirati sledeci tekst:

FCOPY::
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe|c:\windows\system32\dllcache\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe|c:\windows\system32\dllcache\winlogon.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe|c:\windows\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe|c:\windows\system32\winlogon.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 14 Avg 2010
  • Poruke: 185

Napisano: 10 Okt 2010 22:11

ComboFix 10-10-09.06 - Violeta 10.2010 г. 22:58:33.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.359.1033.18.382.116 [GMT 3:00]
Running from: c:\documents and settings\Violeta\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Violeta\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --> c:\windows\system32\dllcache\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --> c:\windows\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_dllcache(2).bak
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_drivers(2).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_dllcache(1).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_drivers(1).bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_dllcache.bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_drivers.bak
2010-10-09 21:15 . 2010-10-09 21:14 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-10-08 19:23 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 19:23 . 2010-10-08 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 19:23 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:01 . 2010-10-08 18:01 -------- d-----w- c:\documents and settings\Violeta\Local Settings\Application Data\Mozilla
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\Violeta\Application Data\Malwarebytes
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 08:47 . 2010-09-28 08:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2008-04-14 . 51AD0455B7C2A6E50C35DCF5BD798B50 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 015CD27FE4C955A6638CBA2F27D72B15 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-09_20.23.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-10 12:22 . 2010-10-10 12:22 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="e:\bitcomet\BitComet.exe" [2009-07-31 2674488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-31 16248320]
"SkyTel"="SkyTel.EXE" [2009-08-31 2879488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-31 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 22:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 22:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-23 23:06 487424 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26540:TCP"= 26540:TCP:BitComet 26540 TCP
"26540:UDP"= 26540:UDP:BitComet 26540 UDP

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08.10.2010 г. 22:23 304464]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [23.1.2010 г. 09:12 330240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08.10.2010 г. 22:23 20952]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.5.2010 г. 00:30 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [31.8.2009 г. 12:57 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - e:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Violeta\Application Data\Mozilla\Firefox\Profiles\tnz6ho4j.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: e:\divx\DivX Player\npDivxPlayerPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-10 23:09:18
ComboFix-quarantined-files.txt 2010-10-10 20:09
ComboFix2.txt 2010-10-09 22:21
ComboFix3.txt 2010-10-09 20:25
ComboFix4.txt 2010-10-09 17:14

Pre-Run: 381 865 984 bytes free
Post-Run: 367 407 104 bytes free

- - End Of File - - 4E0CD5C1A681BC7B2FDE2D0C41DDACC3

Dopuna: 10 Okt 2010 23:07

ComboFix 10-10-09.06 - Violeta 10.2010 г. 23:53:16.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.359.1033.18.382.111 [GMT 3:00]
Running from: c:\documents and settings\Violeta\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Violeta\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --> c:\windows\system32\dllcache\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --> c:\windows\explorer.exe
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_dllcache(2).bak
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_drivers(2).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_dllcache(1).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_drivers(1).bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_dllcache.bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_drivers.bak
2010-10-09 21:15 . 2010-10-09 21:14 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-10-08 19:23 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 19:23 . 2010-10-08 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 19:23 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:01 . 2010-10-08 18:01 -------- d-----w- c:\documents and settings\Violeta\Local Settings\Application Data\Mozilla
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\Violeta\Application Data\Malwarebytes
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 08:47 . 2010-09-28 08:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2008-04-14 . 51AD0455B7C2A6E50C35DCF5BD798B50 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 015CD27FE4C955A6638CBA2F27D72B15 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-09_20.23.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-10 12:22 . 2010-10-10 12:22 16384 c:\windows\Temp\Perflib_Perfdata_654.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="e:\bitcomet\BitComet.exe" [2009-07-31 2674488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-31 16248320]
"SkyTel"="SkyTel.EXE" [2009-08-31 2879488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-31 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 22:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 22:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-23 23:06 487424 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26540:TCP"= 26540:TCP:BitComet 26540 TCP
"26540:UDP"= 26540:UDP:BitComet 26540 UDP

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08.10.2010 г. 22:23 304464]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [23.1.2010 г. 09:12 330240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08.10.2010 г. 22:23 20952]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.5.2010 г. 00:30 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [31.8.2009 г. 12:57 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - e:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Violeta\Application Data\Mozilla\Firefox\Profiles\tnz6ho4j.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: e:\divx\DivX Player\npDivxPlayerPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-11 00:05:24
ComboFix-quarantined-files.txt 2010-10-10 21:05
ComboFix2.txt 2010-10-10 20:09
ComboFix3.txt 2010-10-09 22:21
ComboFix4.txt 2010-10-09 20:25
ComboFix5.txt 2010-10-10 20:51

Pre-Run: 374 820 864 bytes free
Post-Run: 362 119 168 bytes free

- - End Of File - - DFD9AA6964287140B33175B07D19B8DD

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Otvoriti Notepad i iskopirati sledeci tekst:

FCOPY::
c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe|c:\windows\explorer.exe


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.





Napomena: Ukoliko se pojavi sledeći upit:



Klikni na Cancel, a zatim na sledećem upitu Yes.



offline
  • Pridružio: 14 Avg 2010
  • Poruke: 185

opet oba fajla inficirana ... jel ja nesto pogresno radim ili?????



ComboFix 10-10-09.06 - Violeta 10.2010 г. 1:15.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.359.1033.18.382.118 [GMT 3:00]
Running from: c:\documents and settings\Violeta\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_dllcache(2).bak
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_drivers(2).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_dllcache(1).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_drivers(1).bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_dllcache.bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_drivers.bak
2010-10-09 21:15 . 2010-10-09 21:14 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-10-08 19:23 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 19:23 . 2010-10-08 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 19:23 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:01 . 2010-10-08 18:01 -------- d-----w- c:\documents and settings\Violeta\Local Settings\Application Data\Mozilla
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\Violeta\Application Data\Malwarebytes
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 08:47 . 2010-09-28 08:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[-] 2008-04-14 . 51AD0455B7C2A6E50C35DCF5BD798B50 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 015CD27FE4C955A6638CBA2F27D72B15 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-09_20.23.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-10 22:11 . 2010-10-10 22:11 16384 c:\windows\Temp\Perflib_Perfdata_5fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="e:\bitcomet\BitComet.exe" [2009-07-31 2674488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-31 16248320]
"SkyTel"="SkyTel.EXE" [2009-08-31 2879488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-31 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 22:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 22:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-23 23:06 487424 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26540:TCP"= 26540:TCP:BitComet 26540 TCP
"26540:UDP"= 26540:UDP:BitComet 26540 UDP

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08.10.2010 г. 22:23 304464]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [23.1.2010 г. 09:12 330240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08.10.2010 г. 22:23 20952]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.5.2010 г. 00:30 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [31.8.2009 г. 12:57 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - e:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Violeta\Application Data\Mozilla\Firefox\Profiles\tnz6ho4j.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: e:\divx\DivX Player\npDivxPlayerPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-11 01:27:42
ComboFix-quarantined-files.txt 2010-10-10 22:27
ComboFix2.txt 2010-10-10 22:05
ComboFix3.txt 2010-10-10 21:05
ComboFix4.txt 2010-10-10 20:09
ComboFix5.txt 2010-10-10 22:14

Pre-Run: 355 045 376 bytes free
Post-Run: 345 993 216 bytes free

- - End Of File - - B344905D07275E65CB351160E8ECF0A9

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Preuzmi arhivu BootDel.rar sa sledećeg linka na Desktop:

http://amf.mycity.rs/personal/Bogdan-Tc/BootDel.rar


Raspakuj arhivu i pokreni file BootDel.bat dvoklikom na ikonicu;

Kada program završi sa radom postavi mi catchme.log ovde u poruci;

Restartuj računar;



Napomena: Ukoliko se pojavi sledeći upit:



Klikni na Cancel, a zatim na sledećem upitu Yes.








Nakon restarta računara ponovo pokreni ComboFix dvoklikom na ikonicu i postavi mi log koji dobiješ.

offline
  • Pridružio: 14 Avg 2010
  • Poruke: 185

Napisano: 11 Okt 2010 20:15

kliknula sam na BootDel.bat, otvorio mi je onaj prozorcic, nesto radio, pojavi se ova prva slika gde treba da pritisnem cancel, ja ni ne stignem da pritisnem, pojavi se odmah prozorcic koji kaze da ne moze windows da nadje catchme log, plavi ekran i restartuje se kompjuter sam.

Dopuna: 11 Okt 2010 20:31

evo uspelo je, samo sto se racunar sam restartovao:


file zipped: c:\windows\system32\dllcache\winlogon.exe -> catchme.zip -> winlogon.exe.5 ( 507904 bytes )
file "c:\windows\system32\dllcache\winlogon.exe" deleted successfully
file copied: c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe -> c:\windows\system32\dllcache\winlogon.exe ( 507904 bytes )
file zipped: c:\windows\system32\winlogon.exe -> catchme.zip -> winlogon.exe.6 ( 507904 bytes )
file "c:\windows\system32\winlogon.exe" deleted successfully
file copied: c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe -> c:\windows\system32\winlogon.exe ( 507904 bytes )
file zipped: c:\windows\system32\dllcache\explorer.exe -> catchme.zip -> explorer.exe.5 ( 1033728 bytes )
file "c:\windows\system32\dllcache\explorer.exe" deleted successfully
file copied: c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe -> c:\windows\system32\dllcache\explorer.exe ( 1033728 bytes )
file zipped: c:\windows\explorer.exe -> catchme.zip -> explorer.exe.6 ( 1033728 bytes )
file "c:\windows\explorer.exe" deleted successfully
file copied: c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe -> c:\windows\explorer.exe ( 1033728 bytes )

Dopuna: 11 Okt 2010 20:50

ovo vec postaje zabrinjavajuce. jel ja nesto pogresno raim li...?

ComboFix 10-10-11.01 - Violeta 10.2010 г. 21:37:07.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1251.359.1033.18.382.110 [GMT 3:00]
Running from: c:\documents and settings\Violeta\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-11 to 2010-10-11 )))))))))))))))))))))))))))))))
.

2010-10-11 18:09 . 2010-10-11 18:22 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe
2010-10-11 18:09 . 2010-10-11 18:21 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_dllcache(2).bak
2010-10-09 21:39 . 2010-10-09 21:39 182656 ----a-w- C:\ndis_drivers(2).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_dllcache(1).bak
2010-10-09 21:28 . 2010-10-09 21:28 182656 ----a-w- C:\ndis_drivers(1).bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_dllcache.bak
2010-10-09 21:27 . 2010-10-09 21:27 211072 ----a-w- C:\ndis_drivers.bak
2010-10-09 21:15 . 2010-10-09 21:14 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-10-08 19:23 . 2010-04-29 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 19:23 . 2010-10-08 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 19:23 . 2010-04-29 12:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:01 . 2010-10-08 18:01 -------- d-----w- c:\documents and settings\Violeta\Local Settings\Application Data\Mozilla
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\Violeta\Application Data\Malwarebytes
2010-10-06 17:33 . 2010-10-06 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-28 08:47 . 2010-09-28 08:47 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-10-09 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2010-10-11 . 51AD0455B7C2A6E50C35DCF5BD798B50 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2010-10-11 . D5435202D5D89517ADEB13DF630BCDF1 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

[-] 2010-10-11 . 015CD27FE4C955A6638CBA2F27D72B15 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2010-10-11 . 8E9F456870E2EC9CEC357EBAE6A2C9BD . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-09_20.23.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-11 10:26 . 2010-10-11 10:26 16384 c:\windows\Temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="e:\bitcomet\BitComet.exe" [2009-07-31 2674488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-31 16248320]
"SkyTel"="SkyTel.EXE" [2009-08-31 2879488]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-31 761946]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 22:04 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 22:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2006-11-23 23:06 487424 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nakido\\nakido.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26540:TCP"= 26540:TCP:BitComet 26540 TCP
"26540:UDP"= 26540:UDP:BitComet 26540 UDP

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08.10.2010 г. 22:23 304464]
R2 Nakido;Nakido;c:\program files\Nakido\nakido.exe [23.1.2010 г. 09:12 330240]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08.10.2010 г. 22:23 20952]
S2 gupdate;Услуга Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.5.2010 г. 00:30 135664]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [31.8.2009 г. 12:57 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]

2010-10-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - e:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Violeta\Application Data\Mozilla\Firefox\Profiles\tnz6ho4j.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: e:\divx\DivX Player\npDivxPlayerPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-11 21:49:28
ComboFix-quarantined-files.txt 2010-10-11 18:49
ComboFix2.txt 2010-10-10 22:27
ComboFix3.txt 2010-10-10 22:05
ComboFix4.txt 2010-10-10 21:05
ComboFix5.txt 2010-10-11 18:34

Pre-Run: 171 020 288 bytes free
Post-Run: 190 246 912 bytes free

- - End Of File - - 626583BC32CD604175E7E9FFD3EB8FC1

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Izvini na čekanju.


Preuzmi SF.rar sa sledećeg linka na Desktop:

http://amf.mycity.rs/personal/Bogdan-Tc/SF.rar


Raspakuj SF.rar u neki folder;

Pokreni file COPY.bat dvoklikom na ikonicu;

Kada COPY.bat završi sa radom, pokreni MOVE.bat dvoklikom na ikonicu;

Po završetku rada će se u istom folderu kreirati file log.txt koji je potrebno kopirati ovde u poruci;


Restartuj računar;


Ponovo pokreni ComboFix dvoklikom na ikonicu i postavi izveštaj/log ovde u poruci.

offline
  • Pridružio: 14 Avg 2010
  • Poruke: 185

uradicu to tek veceras kad dodjem s posla. Nego ja ne mogu da joj restartujem komp,nego uvek moram da ga ugasim pa ponovo upalim. Jednostavno kad kliknem na restart nista se ne desava.

offline
  • Pridružio: 04 Jan 2009
  • Poruke: 2168

Nije problem, kad odradiš postavi log-ove.


Kada dođeš do dela kada trebaš restartovati računar uradi sledeće:

Start > Run ukucaj CMD i klikni Enter;

U prozor koji se prikaže kopiraj sledeće i klikni Enter:
shutdown -r -t 10


Dobićeš obaveštenje da će računar da se ugasi za 10 sekundi i počeće da odbrojava.

Dalje nastavi prema uputstvu.


Ukoliko se desi da ovom komandom neće da se restartuje, onda odradi kao što si i do sada radila.

Ko je trenutno na forumu
 

Ukupno su 541 korisnika na forumu :: 16 registrovanih, 2 sakrivenih i 523 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Bane san, Dusan03, helen1, ikan, Krusarac, ladro, nikoladim, Parker, RED4G-304, ser.hill, solic, Srle993, tmanda323, uruk, zoranis, |_MeD_|