Autorun + worm

Autorun + worm

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 5

da krenem od toga sto ne mogu da upalim hidden files i system protected inace bih obrisao rucno kao i dosad Very Happy



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:47 PM, on 11/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\mfck\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = daemon-search.com/startpage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - P:\Program Files\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - P:\Program Files\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files\Download Direct\DLD.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to &Lightning Note - P:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - P:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8-) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe (file missing)
O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

--
End of file - 8945 bytes




imam kasperski 2009

na svakoj particiji je autorun.inf

a imam i Worm.Win32.AutoRun.rja takodje na svakoj particiji

imam C, D, F, P i G particije

kav 2009 izbacuje svakog momenta da ih neutralizuje

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...



Privremeno isključi KAV kako ne bi ometao postupak...




Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


Ukoliko imaš neki USB flash drive koji bi mogao biti inficiran, priključi ga pre nastavka.

Startuj ComboFix i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 5

ComboFix 08-10-31.02 - mfck 2008-11-01 21:53:59.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT 1:00]
Running from: D:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\BReWErS.dll
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\MSINET.oca
C:\xih9.cmd
D:\Autorun.inf
D:\xih9.cmd
F:\Autorun.inf
F:\xih9.cmd
G:\Autorun.inf
G:\xih9.cmd
K:\autorun.inf
K:\xih9.cmd
P:\Autorun.inf
P:\xih9.cmd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-10-01 to 2008-11-01 )))))))))))))))))))))))))))))))
.

2066-07-16 09:05 . 2008-11-01 14:40 3,120 --a------ C:\WINDOWS\MF_C432.lfa
2066-07-16 09:05 . 2008-11-01 14:40 3,120 --a------ C:\WINDOWS\MF_C426.lfa
2066-07-16 09:05 . 2008-11-01 14:40 3,120 --a------ C:\WINDOWS\MF_C421.lfa
2066-07-16 09:05 . 2008-11-01 14:40 3,120 --a------ C:\WINDOWS\MF_C420.lfa
2008-11-01 19:46 . 2008-11-01 19:46 <DIR> d-------- C:\Documents and Settings\mfck\.housecall6.6
2008-10-28 12:25 . 2008-10-28 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2DBoy
2008-10-28 04:43 . 2008-10-28 00:45 14,153 --a------ C:\World.of.Goo-SKIDROW.torrent
2008-10-28 03:11 . 2008-10-28 00:50 20,305 --a------ C:\WorldOfGooSetup.exe.torrent
2008-10-26 21:26 . 2008-10-26 21:26 <DIR> d-------- C:\WINDOWS\Desktop
2008-10-18 13:13 . 2008-10-18 13:13 <DIR> d-------- C:\Program Files\Real
2008-10-18 13:13 . 2008-10-18 13:13 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-10-18 12:06 . 2008-10-18 12:06 609 ---hs---- C:\Documents and Settings\mfck\MediaTubeCodec_ver1.1502.0.exe
2008-10-17 15:28 . 2008-10-17 15:28 <DIR> d-------- C:\Program Files\Common Files\Real
2008-10-17 12:44 . 2008-10-17 13:11 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-10-17 12:44 . 2008-10-17 12:44 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-10-17 12:43 . 2008-10-17 12:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-17 12:43 . 2008-10-17 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-17 12:43 . 2008-11-01 21:58 3,372,576 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-17 12:43 . 2008-11-01 21:58 114,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-17 12:43 . 2008-11-01 21:58 30,572 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-17 12:43 . 2008-11-01 21:58 4,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-14 20:55 . 2008-10-14 20:55 <DIR> d--hs---- C:\FOUND.001
2008-10-14 11:56 . 2008-10-14 11:56 <DIR> d-------- C:\Program Files\Common Files\Windows Live
2008-10-06 08:47 . 2008-10-06 08:47 <DIR> d--hs---- C:\FOUND.000
2008-10-04 13:23 . 2008-10-04 13:23 <DIR> d-------- C:\Documents and Settings\mfck\Application Data\CANON INC
2008-10-04 13:23 . 2008-10-04 13:23 <DIR> d-------- C:\Documents and Settings\mfck\Application Data\CameraWindowDC
2008-10-04 13:02 . 2008-10-04 13:02 <DIR> d-------- C:\Documents and Settings\mfck\Application Data\ZoomBrowser EX
2008-10-04 12:32 . 2008-10-04 12:32 <DIR> d-------- C:\Program Files\Canon
2008-10-04 12:32 . 2008-10-04 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-10-04 12:28 . 2008-10-04 12:28 <DIR> d-------- C:\Program Files\Common Files\Canon
2008-10-01 08:58 . 2008-10-01 08:58 <DIR> d-------- C:\Program Files\GameSpy Arcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 07:07 7,520 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-29 17:40 --------- d-----w C:\Program Files\Destiny
2008-09-23 13:06 --------- d-----w C:\Program Files\PowerISO
2008-09-10 21:38 --------- d-----w C:\Program Files\Download Direct
2008-09-08 23:03 51,712 ----a-w C:\WINDOWS\system32\sirenacm.dll
2008-04-01 19:29 8 --sh--r C:\WINDOWS\system32\0BC4431270.sys
2008-07-06 11:39 56 --sh--r C:\WINDOWS\system32\701243C40B.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-10-18 185896]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"SMSERIAL"="sm56hlpr.exe" [2004-06-29 C:\WINDOWS\sm56hlpr.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= C:\PROGRA~1\K-LITE~1\codecs\l3codecp.acm
"msacm.divxa32"= C:\PROGRA~1\K-LITE~1\codecs\divxa32.acm
"msacm.ac3acm"= C:\PROGRA~1\K-LITE~1\codecs\ac3acm.acm
"msacm.lameacm"= C:\PROGRA~1\K-LITE~1\codecs\lameACM.acm
"VIDC.FFDS"= C:\PROGRA~1\K-LITE~1\ffdshow\ff_vfw.dll
"VIDC.DIV3"= C:\PROGRA~1\K-LITE~1\codecs\DivXc32.dll
"VIDC.DIV4"= C:\PROGRA~1\K-LITE~1\codecs\DivXc32f.dll
"VIDC.3iv2"= C:\PROGRA~1\K-LITE~1\codecs\3IVXVF~1.DLL
"VIDC.VP60"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP61"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP62"= C:\PROGRA~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP70"= C:\PROGRA~1\K-LITE~1\codecs\vp7vfw.dll
"VIDC.VP31"= C:\PROGRA~1\K-LITE~1\codecs\vp31vfw.dll
"VIDC.MPG4"= C:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll
"VIDC.MP42"= C:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll
"VIDC.MP43"= C:\PROGRA~1\K-LITE~1\codecs\Mpg4c32.dll
"msacm.avis"= C:\PROGRA~1\K-LITE~1\ffdshow\ff_acm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SkinClock"=E:\Program Files\Clock Tray Skins\ClockTraySkins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CorelDRAW Graphics Suite 11b"=C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=092007 serial=DR12cus-2178927-HVQ lang=EN
"SunJavaUpdateSched"=C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
"OODefragTray"=C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 AVPsys;AVPsys;C:\WINDOWS\system32\drivers\cdaudio.sys [2001-08-17 18688]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [ ]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]
S3 Service_Desktop;Desktop;C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe [ ]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 86368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{075bece1-93b7-11dc-ba89-001404434aa6}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cae16ef-548a-11dc-b9f5-001346baf7b4}]
\Shell\AutoRun\command - J:\FalloutTacticsLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f3607490-518d-11dd-b998-001404434aa6}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-DLD.EXE - C:\Program Files\Download Direct\DLD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\mfck\Application Data\Mozilla\Firefox\Profiles\90fiywto.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1618406&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-01 21:59:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\ATKKBSERVICE.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\WINDOWS\SYSTEM32\OODAG.EXE
C:\WINDOWS\SYSTEM32\PSISERVICE.EXE
C:\WINDOWS\SYSTEM32\TCPSVCS.EXE
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\IMAPI.EXE
.
**************************************************************************
.
Completion time: 2008-11-01 22:01:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-01 21:01:46

Pre-Run: 369,041,408 bytes free
Post-Run: 360,800,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptOut

224

Dopuna: 01 Nov 2008 22:25

Problem je resen,

HVALA MNOGO !!!

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Nismo gotovi...


Uploaduj sledeće file-ove:

C:\WINDOWS\system32\drivers\cdaudio.sys
C:\WINDOWS\MF_C432.lfa
C:\WINDOWS\system32\drivers\klif.sys

Upload link: http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 5

UPLOADOVAO

Very Happy

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Skini ovaj file na Desktop:

https://www.mycity.rs/must-login.png

Dvoklikni na njega a zatim klikni Yes.


-------------------------------------------------------------------------------------


Još jedna provera...

Preuzmi gmer.zip sa ovog linka i sačuvaj na Desktopu.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit/Malware Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati rezultate skeniranja u Clipboard.
Iskoristi opciju Paste u Notepad-u da bi to prebacio u tekst. Snimi taj tekst iz Notepada kao file1.txt.
Ponovi ovo isto sa Autostart Tab-om. Snimi taj tekst iz Notepada kao file2.txt.


Iskoristi opciju Prikači fajl ispod polja za pisanje poruke na forumu, i prikači nam ovde ta dva fajla koja smo malopre snimili.

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 5

mycity.rs/must-login.png

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Ok, ovo bi trebalo biti čisto.

Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore



To je sve.

offline
  • Pridružio: 01 Nov 2008
  • Poruke: 5

hvala mnogo covo, ne znam kako da se zahvalim Very Happy

Ko je trenutno na forumu
 

Ukupno su 793 korisnika na forumu :: 36 registrovanih, 4 sakrivenih i 753 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., AF-1, Apok, cenejac111, Cufo, dac, darkangel, djordje92sm, havoc995, helen1, ikan, krlebgd77, kuntalo, kybonacci, Leonardo, LUDI, Mahovljani, MarKhan, MB120mm, Misirac, Miskohd, moldway, Mugy, mushroom, NoOneEver Dreams, pein, repac, rodoljub, sakota79, sovanova95, stegonosa, StepskiVuk, Tas011, vasa.93, voja64, yrraf