Antichrist, Studentski Glasnik i ostalo...

1

Antichrist, Studentski Glasnik i ostalo...

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:53 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxdccoms.exe
D:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\svchost.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\Sys32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\PROGRA~1\SaveNow\SaveNow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Documents and Settings\Jeka\Desktop\BlaBla\TR3.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer [Day of judgment]
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Sys32] c:\WINDOWS\Sys32.exe
O4 - HKLM\..\Run: [HService] c:\WINDOWS\msservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SaveNow] C:\PROGRA~1\SaveNow\SaveNow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Jeka/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 6910 bytes

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Ovde su vidljivi tragovi nekoliko infekcija. Pažljivo isprati sledeća uputstva.



Arrow Preuzmi program Antichrist Fix na Desktop.
Dvoklikom pokrenuti AC-FIX.EXE

Pojaviće se upit o nastavku procesa - kliknuti OK

Priključiti sve USB memorijske uređaje kako bi bili dezinfikovani
(Uređaji koje treba priključiti: USB flash drive, telefon, fotoaparat...)

Napomena: uređaje ne isključivati pre završetka procesa.


Kliknuti OK kako bi proces čišćenja započeo

Kompjuter će se restartovati

Nakon ponovog pokretanja sistema, pojaviće se obaveštenje o završetku procesa - kliknuti OK

Izveštaj o izvršenom postupku (C:\AC-FIX\AC-FIX Log.txt) će se otvoriti u Notepad-u


Iskopiraj dobijeni izveštaj u temu na forumu.



-------------------------------------------------------------------------------------

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

> > > ANTICHRIST FIX < < <


Fix started @ 10:34:57 AM, 11/5/2008
Running on Microsoft Windows XP 5.1.2600 Service Pack 2

-------------------------------------------------------

|»»» Cleaning registry... Done!

|»»» Preparing for reboot... Done!

|»»» Rebooting...

|»»» Continuing fix @ 10:36:14 AM

|»»» Scanning for malicious files:

Found C:\WINDOWS\system32\oeminfo.ini »»» Deleted!
Found C:\WINDOWS\system32\oemlogo.bmp »»» Deleted!
Found C:\WINDOWS\itsme.ini »»» Deleted!
Found C:\WINDOWS\system32\blank.htm »»» Deleted!

|»»» Checking root directories...

|»»» Drive C (HDD):
Found C:\AutoRun.inf »»» Deleted!
Found C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
Files:
|»»»»» Deleting C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} »»» Deleted!


|»»» Drive D (HDD):
Found D:\AutoRun.inf »»» Deleted!
Found D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
Files:
|»»»»» Deleting D:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} »»» Deleted!



-------------------------------------------------------

»»»»»» Finished!

»»»»»» Antichrist Fix v1.1 by dr_Bora



-------------------------------------------------------------------------------------


Nemam nista od navedenih kod sebe, ni usb flash ni mob. a ni foto aparat, tako da sam uradila ovo bez toga........mogu li kasnije kada dodjem do tih mojih stvari da uradim ponovo ovaj Antichrist Fix i da se to ochisti?

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Citat:Nemam nista od navedenih kod sebe, ni usb flash ni mob. a ni foto aparat, tako da sam uradila ovo bez toga........mogu li kasnije kada dodjem do tih mojih stvari da uradim ponovo ovaj Antichrist Fix i da se to ochisti?

Sredićemo to kasnije, nije problem. Isprati ostatak uputstva.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

> > > Studentski Glasnik Fix < < <


Fix pokrenuo Jeka u 10:40:14 AM, 11/5/2008
Operativni sistem Microsoft Windows XP 5.1.2600 Service Pack 2

-------------------------------------------------------

|»»» Skeniranje registra...
|»»» Maliciozne stavke su detektovane!
|»»» Brisanje stavki je uspešno izvršeno!

|»»» Priprema za restartovanje...

|»»» Restartovanje...

|»»» Skeniranje diskova...
>>>>>> C:\WINDOWS\SYS32.EXE »»» Datoteka je obrisana!
>>>>>> C:\WINDOWS\MSSERVICE.EXE »»» Datoteka je obrisana!
>>>>>> C:\WINDOWS\backup.dll »»» Datoteka je obrisana!
(HDD:) C:\AutoRun.inf »»» Datoteka je obrisana!
(HDD:) D:\AutoRun.inf »»» Datoteka je obrisana!

-------------------------------------------------------

»»»»»» Kraj rada u 10:41:37 AM.

»»»»»» Studentski glasnik Fix by dr_Bora

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Gore sam ti odgovorio na pitanje u vezi USB uređaja...


Hajde sada da rešimo i ovo ostalo.



Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

ComboFix 08-11-04.02 - Jeka 2008-11-05 10:50:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.578 [GMT -8:00]
Running from: c:\documents and settings\Jeka\Desktop\BlaBla\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\svchost.exe
c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\windows\system32\mdm.exe
c:\windows\system32\wmcache.nld
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER
-------\Service_Netcom3
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 10:34 . 2008-11-05 10:34 <DIR> d-------- C:\AC-FIX
2008-11-05 09:21 . 2008-11-05 09:21 23,552 --a------ c:\documents and settings\Jeka\so7.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 01:00 --------- d-----w c:\program files\Lx_cats
2008-11-05 16:00 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-10-05 06:30 --------- d-----w c:\program files\SaveNow
2008-10-05 03:14 --------- d-----w c:\program files\RadLight
2008-10-01 03:19 --------- d-----w c:\documents and settings\Jeka\Application Data\Winamp
2008-09-18 00:23 7,780 ----a-w c:\documents and settings\Jeka\FMCodec.dat
2008-09-18 00:23 4 ----a-w c:\documents and settings\Jeka\WFSCHDL.dat
2008-09-11 17:01 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-12 08:11 8 --sh--r c:\documents and settings\All Users\Application Data\52DF72FF22.sys
2005-09-12 13:52 12,678,535 ----a-w c:\program files\e_guide.pdf
2001-08-23 21:00 180,224 --sha-r c:\windows\system32\cfgbkeqd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpyClean"="c:\program files\Netcom3 Cleaner\SpyClean.exe" [2008-03-11 4505600]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-02-12 69632]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-02-12 397312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"SaveNow"="c:\progra~1\SaveNow\SaveNow.exe" [2001-12-18 167424]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe [2007-02-12 537520]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;c:\windows\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys [2007-07-12 10752]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 9446]
S2 PowerManager;Power Manager;c:\windows\svchost.exe [ ]
S3 Netcom3;NetCom3 Service;c:\program files\Netcom3 Cleaner\PSCMonitor.exe [2006-11-18 856064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a983d72-8a8d-11dd-a2f8-f365ce40ddb2}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

*Newly Created Service* - POWERMANAGER
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-blank - c:\windows\system32\blank.htm


.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-05 10:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
d:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
d:\pomocni programi\matlab\bin\win32\MATLAB.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 10:54:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 18:54:35

Pre-Run: 200,122,368 bytes free
Post-Run: 859,283,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

125

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Uhh, pa ovde postoje i pravi virusi (file-infektor-i). Zašto nemaš instaliran antivirus?


Iz Control Panel > Add/Remove Programs deinstaliraj SaveNow.


-------------------------------------------------------------------------------------


Arrow Otvoriti Notepad i iskopirati sledeci tekst:

File::
c:\documents and settings\Jeka\so7.exe
c:\windows\system32\cfgbkeqd.dll

Folder::
c:\program files\Netcom3 Cleaner

Driver::
PowerManager
Netcom3

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyClean"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a983d72-8a8d-11dd-a2f8-f365ce40ddb2}]


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 05 Nov 2008
  • Poruke: 5

ComboFix 08-11-04.02 - Jeka 2008-11-05 12:13:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -8:00]
Running from: c:\documents and settings\Jeka\Desktop\BlaBla\ComboFix.exe
Command switches used :: c:\documents and settings\Jeka\Desktop\BlaBla\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Jeka\so7.exe
c:\windows\system32\cfgbkeqd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeka\so7.exe
c:\program files\Netcom3 Cleaner
c:\program files\Netcom3 Cleaner\Backup\{03579105-A212-416E-99DD-93D533BB30BD}.rbk
c:\program files\Netcom3 Cleaner\Backup\{12C17D93-BA25-43C4-BA8E-A93129FAF6E5}.rbk
c:\program files\Netcom3 Cleaner\Backup\{18F144D8-E647-4F3E-BC1B-463CA471CE9C}.rbk
c:\program files\Netcom3 Cleaner\Backup\{197C0764-86EE-4593-A22D-B35E575847C3}.rbk
c:\program files\Netcom3 Cleaner\Backup\{24FD5743-9041-47EA-A104-B26CB3C5CB64}.rbk
c:\program files\Netcom3 Cleaner\Backup\{28E5CBA5-4CDE-4E92-98A3-DCCF4137FD7A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{31E89730-E83F-49C4-970E-7B2A1AA171FC}.rbk
c:\program files\Netcom3 Cleaner\Backup\{52529F3E-4030-4864-BC64-DF8340EEAF8B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{6A628DA1-A67A-4B53-83CB-437FB49CED74}.rbk
c:\program files\Netcom3 Cleaner\Backup\{6D681815-D28F-4C43-A570-4064386EDC0A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{74A72393-3765-45F4-8BE4-AE9C10B6DD64}.rbk
c:\program files\Netcom3 Cleaner\Backup\{75A100FC-59A6-42F5-9934-43B25E7A0D9D}.rbk
c:\program files\Netcom3 Cleaner\Backup\{81D7AB41-3789-4629-A09B-FF54E573E7CE}.rbk
c:\program files\Netcom3 Cleaner\Backup\{849AC9CD-F17F-47B9-B293-07A405443228}.rbk
c:\program files\Netcom3 Cleaner\Backup\{8BDF0F3F-6595-4932-ABBE-160E9A6A6BF8}.rbk
c:\program files\Netcom3 Cleaner\Backup\{903638AF-8FD2-48C1-8107-64FB90DD0DE6}.rbk
c:\program files\Netcom3 Cleaner\Backup\{92161305-D34B-48C4-B04F-BB9455404DF5}.rbk
c:\program files\Netcom3 Cleaner\Backup\{921AAF68-EF05-40D9-A248-45B44F696570}.rbk
c:\program files\Netcom3 Cleaner\Backup\{9300D515-77EE-4586-8682-994A6538C171}.rbk
c:\program files\Netcom3 Cleaner\Backup\{A1885574-87E5-4F43-B8D1-E54848266F3B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{A21F53BD-98BF-4406-BA68-94782A0AA620}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B07CBFEE-042B-4E0F-A27C-E6273709310D}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B2E126C6-BD41-4FEA-BDC0-697147ABB220}.rbk
c:\program files\Netcom3 Cleaner\Backup\{B6711971-7687-4591-827B-DB685F39D1EA}.rbk
c:\program files\Netcom3 Cleaner\Backup\{BB6252C7-C252-42AD-9D91-1CF49319E9E3}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CDB19A25-0F0F-4D94-862A-5643289D4B9A}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CF1A2C99-4D99-4748-AE71-D71AB124D003}.rbk
c:\program files\Netcom3 Cleaner\Backup\{CF33661F-9C99-4EE8-B45E-FA367B23FD80}.rbk
c:\program files\Netcom3 Cleaner\Backup\{D0FEE3E7-6688-4570-A180-B0211809B920}.rbk
c:\program files\Netcom3 Cleaner\Backup\{DA8143DE-9582-4D38-AD3C-60F9356CEE2B}.rbk
c:\program files\Netcom3 Cleaner\Backup\{EBCDB782-8710-4C26-8633-DEA2FE826CBD}.rbk
c:\program files\Netcom3 Cleaner\Backup\{ED63FA44-F7B8-4EAC-ADDC-65EAC4758477}.rbk
c:\program files\Netcom3 Cleaner\Backup\{EEF6B47C-71B7-415C-A28E-2C265A6D7079}.rbk
c:\program files\Netcom3 Cleaner\Backup\{FB0C5657-3E9D-4368-955B-4BA86EE55BAF}.rbk
c:\program files\Netcom3 Cleaner\Backup\02_06_2008_23_14_47.fbk
c:\program files\Netcom3 Cleaner\BackupManager.dll
c:\program files\Netcom3 Cleaner\Database\IgnoreList.db
c:\program files\Netcom3 Cleaner\Database\Immunizer.db
c:\program files\Netcom3 Cleaner\Database\Spyware.db
c:\program files\Netcom3 Cleaner\hashes.md5
c:\program files\Netcom3 Cleaner\Logger.dll
c:\program files\Netcom3 Cleaner\Logs\2008_05_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_19.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_20.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_21.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_26.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_05_31.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_10.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_19.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_20.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_21.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_26.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_06_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_10.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_07_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_27.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_28.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_08_31.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_03.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_09.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_11.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_12.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_13.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_14.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_15.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_16.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_17.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_18.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_22.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_23.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_24.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_25.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_29.log
c:\program files\Netcom3 Cleaner\Logs\2008_09_30.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_01.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_02.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_04.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_05.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_06.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_07.log
c:\program files\Netcom3 Cleaner\Logs\2008_10_08.log
c:\program files\Netcom3 Cleaner\Logs\2008_11_05.log
c:\program files\Netcom3 Cleaner\MFC71.dll
c:\program files\Netcom3 Cleaner\msvcp71.dll
c:\program files\Netcom3 Cleaner\msvcr71.dll
c:\program files\Netcom3 Cleaner\PscMonitor.dll
c:\program files\Netcom3 Cleaner\PscMonitor.exe
c:\program files\Netcom3 Cleaner\RegistryChecker.dll
c:\program files\Netcom3 Cleaner\RegManagers.dll
c:\program files\Netcom3 Cleaner\SpyClean.exe
c:\program files\Netcom3 Cleaner\SpyGuard.dll
c:\program files\Netcom3 Cleaner\SpywareRemover.dll
c:\program files\Netcom3 Cleaner\unins000.dat
c:\program files\Netcom3 Cleaner\unins000.exe
c:\windows\IE4 Error Log.txt
c:\windows\svchost.exe
c:\windows\system32\cfgbkeqd.dll
c:\windows\system32\wmcache.nld

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POWERMANAGER


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 10:34 . 2008-11-05 10:34 <DIR> d-------- C:\AC-FIX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 01:00 --------- d-----w c:\program files\Lx_cats
2008-11-05 19:09 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2008-10-05 03:14 --------- d-----w c:\program files\RadLight
2008-10-01 03:19 --------- d-----w c:\documents and settings\Jeka\Application Data\Winamp
2008-09-18 00:23 7,780 ----a-w c:\documents and settings\Jeka\FMCodec.dat
2008-09-18 00:23 4 ----a-w c:\documents and settings\Jeka\WFSCHDL.dat
2008-09-11 17:01 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-05-12 08:11 8 -csh--r c:\documents and settings\All Users\Application Data\52DF72FF22.sys
2005-09-12 13:52 12,678,535 -c--a-w c:\program files\e_guide.pdf
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_10.54.22.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 01:02:02 58,596 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-05 18:56:27 58,596 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-06 01:02:02 392,296 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-05 18:56:27 392,296 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 380928]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-02-12 69632]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-02-12 397312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 188464]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe [2007-02-12 537520]
R2 PowerManager;Power Manager;c:\windows\svchost.exe [2001-08-24 36352]
R2 PSI_SVC_2;Protexis Licensing V2;c:\program files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 185632]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;c:\windows\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys [2007-07-12 10752]
R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 9446]

*Newly Created Service* - POWERMANAGER
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-05 12:15:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
d:\pomocni programi\matlab\webserver\bin\win32\matlabserver.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-05 12:18:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-05 20:18:10
ComboFix2.txt 2008-11-05 18:54:38

Pre-Run: 1,929,166,848 bytes free
Post-Run: 1,916,526,592 bytes free

261

nemam :-( imala sam neki pre ali je drug koji je pokusavao da "popravi" komp. izgleda zbutao nesto izbrisao.......Instaliracu NOD32

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nemoj NOD da instaliraš. avast! je pogodniji za ovaj problem.

http://www.avast.com/eng/avast_4_home.html

Instaliraj pa se onda javi - dobićeš dalje uputstvo.

Ko je trenutno na forumu
 

Ukupno su 879 korisnika na forumu :: 42 registrovanih, 4 sakrivenih i 833 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: aleksmajstor, Andrija357, Apok, bladesu, bokisha253, BRATORIII, Cassius Clay, Dimitrije Paunovic, Dimitrise93, DPera, ekser222, FOX, ivan979, ivica976, JOntra, Još malo pa deda, Karla, lord sir giga, mercedesamg, milanovic, milenko crazy north, Milometer, moldway, nemkea71, radoznao, ruger357, sasa87, slonic_tonic, ss10, Steeeefan, suton, Toper, Trpe Grozni, vaso1, VJ, VP6919, YU-UKI, zbazin, zillbg, Zoca, 125, 79693