AdobeR.exe infekcija, potrebna pomoc

AdobeR.exe infekcija, potrebna pomoc

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 87
  • Gde živiš: Kragujevac

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48:35, on 4/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\AdobeR.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\XP\Start Menu\Programs\Startup\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\XP\Desktop\asasawdasfsjgdfjhdjhfjfjkflhjfjhhj\asasasasa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [RavAV] C:\WINDOWS\AdobeR.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA759D97-7E0A-4076-A1A4-0D1018F91656}: NameServer = 212.200.191.166,212.200.190.166
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 5958 bytes

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Pozdrav,

Otvori AVG 8 Control Center (desni klik na AVG ikonicu ( ) u donjem, desnom uglu ekrana, stavka Open AVG User Interface).
* Kada se pokrene AVG Control Center, dvoklikni na Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Resident Shield active i klikni Save changes.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.
--------------

Zatim skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 87
  • Gde živiš: Kragujevac

Pozdrav,uradio sam kako sam mi rekao.... Sta dalje??? (Unapred hvala).





ComboFix 09-04-04.01 - XP 2009-04-09 16:26:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.52 [GMT 2:00]
Running from: c:\documents and settings\XP\Desktop\ComboFix.exe
AV: AVG Anti-Virus 7.0.308 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2.bat
C:\a1agmur.cmd
C:\autorun.inf
C:\dbrxubcw.com
c:\docume~1\XP\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\XP\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\XP\ravmonlog
c:\documents and settings\XP\Start Menu\Programs\Startup\ctfmon.exe
C:\em8tqm.cmd
C:\gyn.cmd
C:\jm3cx96.bat
C:\minm.cmd
C:\o.exe
c:\program files\Internet Explorer\ws2help.dll
c:\recycled\Recycled
c:\recycled\Recycled\ctfmon.exe
C:\u.com
C:\upw.bat
C:\uxkl0apt.bat
c:\windows\adober.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
C:\yh.cmd
D:\2.bat
D:\a1agmur.cmd
D:\Autorun.inf
D:\dbrxubcw.com
D:\em8tqm.cmd
D:\gyn.cmd
D:\jm3cx96.bat
D:\minm.cmd
D:\u.com
D:\upw.bat
D:\uxkl0apt.bat
D:\yh.cmd

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-06 20:04 . 2009-04-08 18:55 109,396 -r-hs---- C:\1ogf.exe
2009-04-02 22:51 . 2009-04-03 21:02 110,157 -r-hs---- C:\cqxj.exe
2009-04-01 21:12 . 2009-04-01 21:11 108,083 -r-hs---- C:\o3n9k.com
2009-03-31 00:26 . 2009-03-31 00:26 268 --ah----- C:\sqmdata00.sqm
2009-03-31 00:26 . 2009-03-31 00:26 244 --ah----- C:\sqmnoopt00.sqm
2009-03-28 20:20 . 2009-03-31 00:27 110,838 -r-hs---- C:\0bcobed.exe
2009-03-28 20:17 . 2009-03-28 20:17 <DIR> d--hs---- C:\found.000
2009-03-19 20:47 . 2009-03-19 20:47 <DIR> d-------- c:\program files\Cheating-Death
2009-03-19 20:43 . 2009-03-19 20:45 <DIR> d-------- c:\program files\Counter-Strike 1.6
2009-03-18 15:38 . 2009-03-18 15:38 110,053 -r-hs---- C:\q0dhfjf.exe
2009-03-16 14:46 . 2009-03-16 17:01 111,363 -r-hs---- C:\luk1ylq.com
2009-03-12 19:29 . 2009-03-12 19:28 108,968 -r-hs---- C:\xdw.com
2009-03-10 19:53 . 2009-03-11 19:54 107,190 -r-hs---- C:\cb.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 10:19 --------- d-----w c:\documents and settings\All Users\Application Data\AVG7
2009-03-09 10:43 108,664 --sh--r C:\i.com
2009-03-08 21:44 --------- d-----w c:\program files\Google
2009-03-03 14:07 --------- d-----w c:\program files\MSXML 4.0
2009-03-02 19:59 --------- d-----w c:\documents and settings\XP\Application Data\Talkback
2009-03-02 19:53 --------- d-----w c:\program files\Common Files\xing shared
2009-03-02 19:53 --------- d-----w c:\program files\Common Files\Real
2009-03-02 19:51 --------- d-----w c:\program files\Real
2009-03-02 19:27 --------- d-----w c:\program files\MSN Messenger
2009-03-02 19:26 --------- d-----w c:\program files\Chec
2009-03-02 19:20 --------- d-----w c:\program files\Opera
2009-03-01 11:52 --------- d-----w c:\documents and settings\XP\Application Data\SumatraPDF
2009-02-10 20:24 --------- d-----w c:\program files\Counter-Strike
2009-04-05 19:15 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-04-05 19:15 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-05 19:15 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-04-05 19:15 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-04-05 19:15 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-12-11 11:25 56 --sh--r c:\windows\system32\12B8CEAF74.sys
2006-12-11 11:25 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2006-12-11 347136]
"AVG7_EMC"="c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe" [2006-12-11 271872]
"AGRSMMSG"="AGRSMMSG.exe" [2002-01-15 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-12-14 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2006-12-11 148992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVIDEO"= pctvcap.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax
"VIDC.ACDV"= ACDV.dll
"vidc.vp31"= vp31vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-09 00:00 128920 d:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVRemote]
--------- 2002-01-28 20:12 61440 c:\program files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-09 12:45 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-03-02 21:52 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-05-25 19:35 35328 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18871:TCP"= 18871:TCP:NortonAV
"14667:TCP"= 14667:TCP:NortonAV
"18792:TCP"= 18792:TCP:NortonAV
"16478:TCP"= 16478:TCP:NortonAV
"13590:TCP"= 13590:TCP:NortonAV
"13319:TCP"= 13319:TCP:NortonAV
"12521:TCP"= 12521:TCP:NortonAV
"13464:TCP"= 13464:TCP:NortonAV
"17330:TCP"= 17330:TCP:NortonAV
"17958:TCP"= 17958:TCP:NortonAV
"13685:TCP"= 13685:TCP:NortonAV
"12687:TCP"= 12687:TCP:NortonAV
"17401:TCP"= 17401:TCP:NortonAV
"12942:TCP"= 12942:TCP:NortonAV
"17929:TCP"= 17929:TCP:NortonAV
"17667:TCP"= 17667:TCP:NortonAV
"14098:TCP"= 14098:TCP:NortonAV
"17379:TCP"= 17379:TCP:NortonAV
"18205:TCP"= 18205:TCP:NortonAV
"18539:TCP"= 18539:TCP:NortonAV
"16916:TCP"= 16916:TCP:NortonAV
"12825:TCP"= 12825:TCP:NortonAV
"17034:TCP"= 17034:TCP:NortonAV
"12629:TCP"= 12629:TCP:NortonAV
"17872:TCP"= 17872:TCP:NortonAV
"17268:TCP"= 17268:TCP:NortonAV
"18271:TCP"= 18271:TCP:NortonAV
"18785:TCP"= 18785:TCP:NortonAV
"17441:TCP"= 17441:TCP:NortonAV
"14998:TCP"= 14998:TCP:NortonAV
"15685:TCP"= 15685:TCP:NortonAV
"17145:TCP"= 17145:TCP:NortonAV
"12444:TCP"= 12444:TCP:NortonAV
"14069:TCP"= 14069:TCP:NortonAV
"12720:TCP"= 12720:TCP:NortonAV
"12955:TCP"= 12955:TCP:NortonAV
"16379:TCP"= 16379:TCP:NortonAV
"14328:TCP"= 14328:TCP:NortonAV
"12187:TCP"= 12187:TCP:NortonAV
"14622:TCP"= 14622:TCP:NortonAV
"16169:TCP"= 16169:TCP:NortonAV
"14750:TCP"= 14750:TCP:NortonAV
"16773:TCP"= 16773:TCP:NortonAV
"15471:TCP"= 15471:TCP:NortonAV
"16109:TCP"= 16109:TCP:NortonAV
"13658:TCP"= 13658:TCP:NortonAV
"14157:TCP"= 14157:TCP:NortonAV
"17181:TCP"= 17181:TCP:NortonAV
"14382:TCP"= 14382:TCP:NortonAV
"17292:TCP"= 17292:TCP:NortonAV
"15805:TCP"= 15805:TCP:NortonAV
"15866:TCP"= 15866:TCP:NortonAV
"15387:TCP"= 15387:TCP:NortonAV
"17523:TCP"= 17523:TCP:NortonAV
"17768:TCP"= 17768:TCP:NortonAV
"13316:TCP"= 13316:TCP:NortonAV
"15332:TCP"= 15332:TCP:NortonAV
"14995:TCP"= 14995:TCP:NortonAV
"13668:TCP"= 13668:TCP:NortonAV
"17386:TCP"= 17386:TCP:NortonAV
"12910:TCP"= 12910:TCP:NortonAV
"13375:TCP"= 13375:TCP:NortonAV
"16928:TCP"= 16928:TCP:NortonAV
"17211:TCP"= 17211:TCP:NortonAV
"18051:TCP"= 18051:TCP:NortonAV
"15313:TCP"= 15313:TCP:NortonAV
"18138:TCP"= 18138:TCP:NortonAV
"16480:TCP"= 16480:TCP:NortonAV
"17171:TCP"= 17171:TCP:NortonAV
"13743:TCP"= 13743:TCP:NortonAV
"14364:TCP"= 14364:TCP:NortonAV
"15022:TCP"= 15022:TCP:NortonAV
"12095:TCP"= 12095:TCP:NortonAV
"12428:TCP"= 12428:TCP:NortonAV
"15669:TCP"= 15669:TCP:NortonAV
"17757:TCP"= 17757:TCP:NortonAV
"14968:TCP"= 14968:TCP:NortonAV
"17290:TCP"= 17290:TCP:NortonAV
"16643:TCP"= 16643:TCP:NortonAV
"16638:TCP"= 16638:TCP:NortonAV
"18786:TCP"= 18786:TCP:NortonAV
"12573:TCP"= 12573:TCP:NortonAV
"16814:TCP"= 16814:TCP:NortonAV
"15004:TCP"= 15004:TCP:NortonAV
"18351:TCP"= 18351:TCP:NortonAV
"18969:TCP"= 18969:TCP:NortonAV
"18339:TCP"= 18339:TCP:NortonAV
"18831:TCP"= 18831:TCP:NortonAV
"16802:TCP"= 16802:TCP:NortonAV
"14445:TCP"= 14445:TCP:NortonAV
"13161:TCP"= 13161:TCP:NortonAV
"13452:TCP"= 13452:TCP:NortonAV
"13357:TCP"= 13357:TCP:NortonAV
"14523:TCP"= 14523:TCP:NortonAV
"18942:TCP"= 18942:TCP:NortonAV
"18602:TCP"= 18602:TCP:NortonAV
"16838:TCP"= 16838:TCP:NortonAV
"15752:TCP"= 15752:TCP:NortonAV
"16144:TCP"= 16144:TCP:NortonAV
"17987:TCP"= 17987:TCP:NortonAV
"13065:TCP"= 13065:TCP:NortonAV
"15880:TCP"= 15880:TCP:NortonAV
"12642:TCP"= 12642:TCP:NortonAV
"17756:TCP"= 17756:TCP:NortonAV
"18890:TCP"= 18890:TCP:NortonAV
"16768:TCP"= 16768:TCP:NortonAV
"18103:TCP"= 18103:TCP:NortonAV
"14764:TCP"= 14764:TCP:NortonAV
"13560:TCP"= 13560:TCP:NortonAV
"15111:TCP"= 15111:TCP:NortonAV
"13791:TCP"= 13791:TCP:NortonAV
"13662:TCP"= 13662:TCP:NortonAV
"16579:TCP"= 16579:TCP:NortonAV
"15798:TCP"= 15798:TCP:NortonAV
"16611:TCP"= 16611:TCP:NortonAV
"14740:TCP"= 14740:TCP:NortonAV
"14342:TCP"= 14342:TCP:NortonAV
"18243:TCP"= 18243:TCP:NortonAV
"12618:TCP"= 12618:TCP:NortonAV
"16648:TCP"= 16648:TCP:NortonAV
"12491:TCP"= 12491:TCP:NortonAV
"15333:TCP"= 15333:TCP:NortonAV
"18637:TCP"= 18637:TCP:NortonAV
"12601:TCP"= 12601:TCP:NortonAV
"14082:TCP"= 14082:TCP:NortonAV
"15565:TCP"= 15565:TCP:NortonAV
"12155:TCP"= 12155:TCP:NortonAV
"15628:TCP"= 15628:TCP:NortonAV
"18783:TCP"= 18783:TCP:NortonAV
"12935:TCP"= 12935:TCP:NortonAV
"17748:TCP"= 17748:TCP:NortonAV
"16205:TCP"= 16205:TCP:NortonAV
"17527:TCP"= 17527:TCP:NortonAV
"12383:TCP"= 12383:TCP:NortonAV
"12744:TCP"= 12744:TCP:NortonAV
"12735:TCP"= 12735:TCP:NortonAV
"15360:TCP"= 15360:TCP:NortonAV
"13429:TCP"= 13429:TCP:NortonAV
"13287:TCP"= 13287:TCP:NortonAV
"15799:TCP"= 15799:TCP:NortonAV
"12277:TCP"= 12277:TCP:NortonAV
"18259:TCP"= 18259:TCP:NortonAV
"18826:TCP"= 18826:TCP:NortonAV
"14139:TCP"= 14139:TCP:NortonAV
"18355:TCP"= 18355:TCP:NortonAV
"14171:TCP"= 14171:TCP:NortonAV
"13445:TCP"= 13445:TCP:NortonAV
"17734:TCP"= 17734:TCP:NortonAV
"14997:TCP"= 14997:TCP:NortonAV
"15145:TCP"= 15145:TCP:NortonAV
"18911:TCP"= 18911:TCP:NortonAV
"15947:TCP"= 15947:TCP:NortonAV
"14390:TCP"= 14390:TCP:NortonAV
"16074:TCP"= 16074:TCP:NortonAV
"17868:TCP"= 17868:TCP:NortonAV
"16035:TCP"= 16035:TCP:NortonAV
"13530:TCP"= 13530:TCP:NortonAV
"12962:TCP"= 12962:TCP:NortonAV
"14975:TCP"= 14975:TCP:NortonAV
"18589:TCP"= 18589:TCP:NortonAV
"17554:TCP"= 17554:TCP:NortonAV
"12447:TCP"= 12447:TCP:NortonAV
"18013:TCP"= 18013:TCP:NortonAV
"14153:TCP"= 14153:TCP:NortonAV
"14659:TCP"= 14659:TCP:NortonAV
"18750:TCP"= 18750:TCP:NortonAV
"13997:TCP"= 13997:TCP:NortonAV
"13204:TCP"= 13204:TCP:NortonAV
"18794:TCP"= 18794:TCP:NortonAV
"17657:TCP"= 17657:TCP:NortonAV
"12933:TCP"= 12933:TCP:NortonAV
"18139:TCP"= 18139:TCP:NortonAV
"12759:TCP"= 12759:TCP:NortonAV
"13700:TCP"= 13700:TCP:NortonAV
"17573:TCP"= 17573:TCP:NortonAV
"12217:TCP"= 12217:TCP:NortonAV
"17374:TCP"= 17374:TCP:NortonAV
"17411:TCP"= 17411:TCP:NortonAV
"17076:TCP"= 17076:TCP:NortonAV
"18072:TCP"= 18072:TCP:NortonAV
"17187:TCP"= 17187:TCP:NortonAV
"17819:TCP"= 17819:TCP:NortonAV
"13384:TCP"= 13384:TCP:NortonAV
"17564:TCP"= 17564:TCP:NortonAV
"12352:TCP"= 12352:TCP:NortonAV
"18129:TCP"= 18129:TCP:NortonAV
"16683:TCP"= 16683:TCP:NortonAV
"13393:TCP"= 13393:TCP:NortonAV
"13642:TCP"= 13642:TCP:NortonAV
"13091:TCP"= 13091:TCP:NortonAV
"14189:TCP"= 14189:TCP:NortonAV
"16871:TCP"= 16871:TCP:NortonAV
"13421:TCP"= 13421:TCP:NortonAV
"16269:TCP"= 16269:TCP:NortonAV
"16386:TCP"= 16386:TCP:NortonAV
"15050:TCP"= 15050:TCP:NortonAV
"18371:TCP"= 18371:TCP:NortonAV
"16063:TCP"= 16063:TCP:NortonAV
"13180:TCP"= 13180:TCP:NortonAV
"17754:TCP"= 17754:TCP:NortonAV
"14976:TCP"= 14976:TCP:NortonAV
"16510:TCP"= 16510:TCP:NortonAV
"16502:TCP"= 16502:TCP:NortonAV
"16365:TCP"= 16365:TCP:NortonAV
"18803:TCP"= 18803:TCP:NortonAV
"14031:TCP"= 14031:TCP:NortonAV
"14247:TCP"= 14247:TCP:NortonAV
"12235:TCP"= 12235:TCP:NortonAV
"16191:TCP"= 16191:TCP:NortonAV
"17134:TCP"= 17134:TCP:NortonAV
"14830:TCP"= 14830:TCP:NortonAV
"12169:TCP"= 12169:TCP:NortonAV
"15729:TCP"= 15729:TCP:NortonAV
"17938:TCP"= 17938:TCP:NortonAV
"15965:TCP"= 15965:TCP:NortonAV
"16602:TCP"= 16602:TCP:NortonAV
"16911:TCP"= 16911:TCP:NortonAV
"14054:TCP"= 14054:TCP:NortonAV
"15374:TCP"= 15374:TCP:NortonAV
"16598:TCP"= 16598:TCP:NortonAV
"14759:TCP"= 14759:TCP:NortonAV
"12551:TCP"= 12551:TCP:NortonAV
"16721:TCP"= 16721:TCP:NortonAV
"18162:TCP"= 18162:TCP:NortonAV
"18606:TCP"= 18606:TCP:NortonAV
"17490:TCP"= 17490:TCP:NortonAV
"15146:TCP"= 15146:TCP:NortonAV
"18015:TCP"= 18015:TCP:NortonAV
"17514:TCP"= 17514:TCP:NortonAV
"14944:TCP"= 14944:TCP:NortonAV
"17719:TCP"= 17719:TCP:NortonAV
"18864:TCP"= 18864:TCP:NortonAV
"14457:TCP"= 14457:TCP:NortonAV
"18037:TCP"= 18037:TCP:NortonAV

R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
R3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2006-12-12 6369]
S1 pctvNT;Studio PCTV;c:\windows\system32\drivers\pctvw2k.sys [2006-12-11 42448]
S4 Netsnasnxip;Netsnasnxip; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eedd377-0027-11dd-99fa-0016e66356b1}]
\Shell\AutoRun\command - G:\whi.com
\Shell\explore\Command - G:\whi.com
\Shell\open\Command - G:\whi.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe
MSConfigStartUp-Active Desktop Calendar - e:\xemicomputers\Active Desktop Calendar\ADC.exe
MSConfigStartUp-RavAV - c:\windows\AdobeR.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {CA759D97-7E0A-4076-A1A4-0D1018F91656} = 212.200.191.166,212.200.190.166
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\grf34stu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\progra~1\MOZILL~1\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\progra~1\MOZILL~1\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-09 16:30:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVGFRE~1\avgamsvr.exe
c:\progra~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2009-04-09 16:34:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 14:33:59

Pre-Run: 554,070,016 bytes free
Post-Run: 1,383,776,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

439 --- E O F --- 2009-03-11 19:23:25

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Za početak, preuzmi i pokreni ovaj program.
http://amf.mycity.rs/personal/dr_Bora/Win32.Rjump_Port_Exception_Cleaner.exe
Kada izbaci poruku da je završio ići ćeš na drugi korak.

Otvori Notepad i iskopiraj sledeci tekst:

File:: 
C:\i.com
C:\1ogf.exe
C:\cqxj.exe
C:\o3n9k.com
C:\0bcobed.exe
C:\q0dhfjf.exe
C:\luk1ylq.com
C:\xdw.com
C:\cb.exe

Driver::
Netsnasnxip

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eedd377-0027-11dd-99fa-0016e66356b1}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 87
  • Gde živiš: Kragujevac

Demian,hvala na velikoj pomoci.
Sad radi komp kao sat.! Smile
Nije moj,nego sestrin...! Velika infekcija koliko vidim!
Hvala jos jednom!

offline
  • DEMIAN  Male
  • Legendarni građanin
  • IT Manager
  • Pridružio: 25 Mar 2005
  • Poruke: 3706
  • Gde živiš: The darkest place on earth..

Nije baš toliko velika infekcija kakvih zna da ima. Za nju je bitnije to što se prenosi preko USB uređaja.. Ne pratiš proceduru koju ovde praktikujemo tako da ti ne dajem garancije da je taj PC čist. Ako pak ti stručno ceniš da je sa njenim računarom sve kako treba onda ti ostaje još da samo ispratiš donje uputstvo..

---------------------------
Deinstalacija ComboFix-a:
Klikni START a zatim RUN.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

Combofix /u



a zatim klikni OK.

Sačekaj da se proces deinstalacije završi.


To je to..

Ko je trenutno na forumu
 

Ukupno su 747 korisnika na forumu :: 30 registrovanih, 6 sakrivenih i 711 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., babaroga, bankulen, celik, cole77, Deneb, Dorcolac, Drug pukovnik, Faki-Valjevo, FOX, HrcAk47, jogurtmen, Kibice, kreza, Marko Marković, MB120mm, Mercury, micoboj, Misirac, nenad81, Oluj2.1, Recce, Sirius, Smd, stegonosa, Toni, trajkoni018, Vlada78, vlvl