Evo jedan

Evo jedan

offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Evo logova pa ako ko ima vremena. Hvala

COMBOFIX


ComboFix 08-03-07.4 - Administrator 2008-03-08 17:09:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.704 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Administrator.BLC.000\ravmonlog
C:\Documents and Settings\profesor\ravmonlog
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\drivers\symavc32.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CCEVTSVC
-------\LEGACY_NPF
-------\LEGACY_XRU46
-------\CcEvtSvc


((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-07 21:55 . 2008-03-07 22:15 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-07 21:55 . 2008-03-07 22:15 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-07 21:55 . 2008-03-07 21:55 76,995 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-03-07 21:43 . 2008-03-07 21:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-07 21:43 . 2008-03-08 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 21:42 . 2008-03-08 17:20 7,090,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 21:42 . 2008-03-07 21:41 107,172 -r-hs---- C:\v.com
2008-03-07 21:42 . 2008-03-08 17:19 100,172 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 21:42 . 2008-03-08 17:19 9,760 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-07 21:42 . 2008-03-08 17:19 4,004 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-07 21:41 . 2008-03-07 21:41 <DIR> d-------- C:\kav
2008-03-07 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-07 21:31 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-27 14:51 . 2008-02-27 14:51 46,125 --a------ C:\WINDOWS\FontData.fdb
2008-02-23 11:08 . 2008-02-23 11:08 167,936 --a------ C:\WINDOWS\system32\drivers\Xkk29.sys
2008-02-22 13:14 . 2008-02-22 13:14 167,936 --a------ C:\WINDOWS\system32\drivers\Wrb28.sys
2008-02-21 11:41 . 2008-02-21 11:41 167,936 --a------ C:\WINDOWS\system32\drivers\Wbx34.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 16:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-07 20:38 --------- d-----w C:\Program Files\ESET
2008-02-27 10:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-02-06 11:26 167,936 ----a-w C:\WINDOWS\system32\drivers\Xru46.sys
2008-02-05 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-05 15:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-02-05 15:39 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-05 15:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-02-05 15:34 --------- d-----w C:\Program Files\Nokia
2008-02-05 15:34 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-05 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-31 08:59 --------- d-----w C:\Program Files\Google
2008-01-23 13:40 --------- d-----w C:\Program Files\DatawareGames
2008-01-18 08:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2004-08-04 00:56 2,270,803 --sh--r C:\WINDOWS\system32\Winxdiag.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-06 17:53 20034600]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-22 09:53 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 12:27 222208]
"USRobotics USB Internet Mini Phone"="C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe" [2006-06-07 13:53 338432]
"USRobotics USB Internet Mini Phone Control Panel"="C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe" [2006-06-07 13:51 2115584]
"Microsoft Windows Update x86"="Winxdiag.exe" [2004-08-04 01:56 2270803 C:\WINDOWS\system32\Winxdiag.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2007-03-05 18:53 206456]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 18:29 61440]
"VTTimer"="VTTimer.exe" [2005-03-07 20:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 10:33 147456 C:\WINDOWS\system32\VTTrayp.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Windows Update x86"="Winxdiag.exe" [2004-08-04 01:56 2270803 C:\WINDOWS\system32\Winxdiag.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14588:TCP"= 14588:TCP:NortonAV
"16888:TCP"= 16888:TCP:NortonAV

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-02-02 12:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00a6ca3f-1e5f-11db-b1df-000272b00026}]
\Shell\AutoRun\command - d6fagcs8.cmd
\Shell\explore\Command - d6fagcs8.cmd
\Shell\open\Command - d6fagcs8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01bbc3c6-ad50-11dc-b532-00138f75fcb1}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0af43221-7176-11dc-b4d8-000272b00026}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1239a816-e3b6-11dc-b57f-00138f75fcb1}]
\Shell\AutoRun\command - F:\oufddh.exe
\Shell\explore\Command - F:\oufddh.exe
\Shell\open\Command - F:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c10168d-e8f6-11dc-b589-00138f75fcb1}]
\Shell\AutoRun\command - F:\x6.bat
\Shell\explore\Command - F:\x6.bat
\Shell\open\Command - F:\x6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d737f28-9509-11dc-b50d-00138f75fcb1}]
\Shell\AutoRun\command - F:\8ng8w.com
\Shell\explore\Command - F:\8ng8w.com
\Shell\open\Command - F:\8ng8w.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e4b95fe-ec85-11dc-9714-806d6172696f}]
\Shell\AutoRun\command - F:\v.com
\Shell\explore\Command - F:\v.com
\Shell\open\Command - F:\v.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627353d8-d09f-11dc-b55f-00138f75fcb1}]
\Shell\AutoRun\command - F:\h.cmd
\Shell\explore\Command - F:\h.cmd
\Shell\open\Command - F:\h.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{678f9f3f-ae17-11dc-b533-00138f75fcb1}]
\Shell\AutoRun\command - F:\ylr.exe
\Shell\explore\Command - F:\ylr.exe
\Shell\open\Command - F:\ylr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69a3192a-d61a-11dc-b56a-00138f75fcb1}]
\Shell\AutoRun\command - F:\usdeiect.com
\Shell\explore\Command - F:\usdeiect.com
\Shell\open\Command - F:\usdeiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e53f546-d953-11dc-b56e-00138f75fcb1}]
\Shell\AutoRun\command - F:\0hct8ybw.bat
\Shell\explore\Command - F:\0hct8ybw.bat
\Shell\open\Command - F:\0hct8ybw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c558329-c5a2-11dc-b54b-00138f75fcb1}]
\Shell\AutoRun\command - G:\xn1i9x.com
\Shell\explore\Command - G:\xn1i9x.com
\Shell\open\Command - G:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f0d90e5-d880-11dc-b56c-00138f75fcb1}]
\Shell\AutoRun\command - F:\d6fagcs8.cmd
\Shell\explore\Command - F:\d6fagcs8.cmd
\Shell\open\Command - F:\d6fagcs8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88a78670-e781-11dc-b588-00138f75fcb1}]
\Shell\AutoRun\command - F:\fppg1.exe
\Shell\explore\Command - F:\fppg1.exe
\Shell\open\Command - F:\fppg1.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{896c6c86-ec33-11dc-b592-00138f75fcb1}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8806e4-bf39-11da-b169-000272b00026}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9537eb30-2d3b-11dc-b260-000272b00026}]
\Shell\AutoRun\command - G:\x.com
\Shell\explore\Command - G:\x.com
\Shell\open\Command - G:\x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a056aff6-d15f-11dc-b561-00138f75fcb1}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a21aae4c-f7f1-11da-b1aa-000272b00026}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6817b48-5095-11dc-b295-000272b00026}]
\Shell\AutoRun\command - F:\x.com
\Shell\explore\Command - F:\x.com
\Shell\open\Command - F:\x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c38ac4d9-1c01-11dc-b246-000272b00026}]
\Shell\AutoRun\command - F:\oufddh.exe
\Shell\explore\Command - F:\oufddh.exe
\Shell\open\Command - F:\oufddh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c549a2ea-eba3-11dc-b590-00138f75fcb1}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f82cfd-1888-11db-b0c8-000272b00026}]
\Shell\AutoRun\command - F:\8.bat
\Shell\explore\Command - F:\8.bat
\Shell\open\Command - F:\8.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de981e72-c812-11dc-b550-00138f75fcb1}]
\Shell\AutoRun\command - F:\xn1i9x.com
\Shell\explore\Command - F:\xn1i9x.com
\Shell\open\Command - F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7af70-c27a-11dc-b547-00138f75fcb1}]
\Shell\AutoRun\command - F:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9ca60f9-c4f5-11dc-b549-00138f75fcb1}]
\Shell\AutoRun\command - F:\juok3st.bat
\Shell\explore\Command - F:\juok3st.bat
\Shell\open\Command - F:\juok3st.bat

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-08 17:24:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-03-08 17:26:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 16:26:53


------




HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 17:28:22, on 8.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe
C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis_sfx\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone] "C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe"
O4 - HKLM\..\Run: [USRobotics USB Internet Mini Phone Control Panel] "C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe"
O4 - HKLM\..\Run: [Microsoft Windows Update x86] Winxdiag.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update x86] Winxdiag.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - 192.168.1.201/cab/OCXChecker_8120.cab
O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - 192.168.1.201/cab/DownloadFile_8110.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blc.com
O17 - HKLM\Software\..\Telephony: DomainName = blc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blc.com
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" -r (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


Zamolio bih te da ubuduće otvaraš teme prema datom uputstvu i da koristiš isključivo one alate na koje budeš upućen.


-------------------------------------------------------------------------------------



Aktiviraj prikaz skrivenih file-ova prema sledećem uputstvu:

http://www.mycity.rs/Uputstva-sa-ex-SuperSajta/Kako-videti-skrivene-fajlove.html



-------------------------------------------------------------------------------------



Pošalji mi na proveru sledeće file-ove:


C:\v.com
C:\WINDOWS\system32\drivers\Xkk29.sys
C:\WINDOWS\system32\Winxdiag.exe


Link za upload: http://www.mycity.rs/ambulanta-upload.php

offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

OK. Nije problem (mislio sam da vam cinim uslugu kad skeniram ComboFixom i stedim vrijeme)


Uploadovani su fajlovi


Pozdrav

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Svi file-ovi su maliciozni. Idemo dalje...



1) Preuzmi program Flash_Disinfector.

program se pokreće dvoklikom na Flash_Disinfector.exe
kada se pojavi poruka sa obaveštenjem, potrebno je priključiti inficirane USB flash drive-ove (pri tome držati pritisnut taster Shift kako bi se izbegao autoplay)
kliknuti na OK i sačekati da se proces završi
kada se pojavi poruka Done !!, kliknuti na OK.




-------------------------------------------------------------------------------------




2) Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\v.com
C:\WINDOWS\system32\drivers\Xkk29.sys
C:\WINDOWS\system32\drivers\Wrb28.sys
C:\WINDOWS\system32\drivers\Wbx34.sys
C:\WINDOWS\system32\drivers\Xru46.sys
C:\WINDOWS\system32\Winxdiag.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Update x86"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Windows Update x86"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00a6ca3f-1e5f-11db-b1df-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01bbc3c6-ad50-11dc-b532-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0af43221-7176-11dc-b4d8-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1239a816-e3b6-11dc-b57f-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c10168d-e8f6-11dc-b589-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d737f28-9509-11dc-b50d-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e4b95fe-ec85-11dc-9714-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{627353d8-d09f-11dc-b55f-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{678f9f3f-ae17-11dc-b533-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69a3192a-d61a-11dc-b56a-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e53f546-d953-11dc-b56e-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c558329-c5a2-11dc-b54b-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f0d90e5-d880-11dc-b56c-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88a78670-e781-11dc-b588-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{896c6c86-ec33-11dc-b592-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8806e4-bf39-11da-b169-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9537eb30-2d3b-11dc-b260-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a056aff6-d15f-11dc-b561-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a21aae4c-f7f1-11da-b1aa-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6817b48-5095-11dc-b295-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c38ac4d9-1c01-11dc-b246-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c549a2ea-eba3-11dc-b590-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f82cfd-1888-11db-b0c8-000272b00026}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de981e72-c812-11dc-b550-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7af70-c27a-11dc-b547-00138f75fcb1}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9ca60f9-c4f5-11dc-b549-00138f75fcb1}]



Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.



-------------------------------------------------------------------------------------



3) Preuzmi fajl gmer.zip sa ovog linka i sačuvaj na Desktop-u.
Raspakuj ga u neki folder.

Dupli klik na gmer.exe za početak: Izaberi Rootkit Tab na vrhu.
Klikni na Scan.
Kada je skeniranje završeno, klik na Copy dugme ispod - ovo će sačuvati to u Clipboard.
U polju za pisanje poruke na forumu klikni desno dugme misa i odaberi opciju Paste.



-------------------------------------------------------------------------------------


Znači, u sledećoj poruci postavi rezultujući ComboFix log i Gmer/Rootkit log.
Takođe, napiši i da li ti je poznat domen blc.com.

offline
  • Pridružio: 28 Jan 2008
  • Poruke: 17

Domen je u redu (poznat)

Evo Logova


COMBO

ComboFix 08-03-07.4 - Administrator 2008-03-09 10:24:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\v.com
C:\WINDOWS\system32\drivers\Wbx34.sys
C:\WINDOWS\system32\drivers\Wrb28.sys
C:\WINDOWS\system32\drivers\Xkk29.sys
C:\WINDOWS\system32\drivers\Xru46.sys
C:\WINDOWS\system32\Winxdiag.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\v.com
C:\WINDOWS\system32\drivers\Wbx34.sys
C:\WINDOWS\system32\drivers\Wrb28.sys
C:\WINDOWS\system32\drivers\Xkk29.sys
C:\WINDOWS\system32\drivers\Xru46.sys
C:\WINDOWS\system32\Winxdiag.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 21:55 . 2008-03-07 22:15 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-07 21:55 . 2008-03-07 22:15 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-07 21:55 . 2008-03-07 21:55 76,995 --a------ C:\WINDOWS\system32\drivers\klif.cab
2008-03-07 21:43 . 2008-03-07 21:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-07 21:43 . 2008-03-09 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-07 21:42 . 2008-03-09 10:26 7,141,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 21:42 . 2008-03-08 19:34 100,556 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 21:42 . 2008-03-09 10:26 13,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-07 21:42 . 2008-03-08 19:34 5,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-07 21:41 . 2008-03-07 21:41 <DIR> d-------- C:\kav
2008-03-07 21:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-07 21:31 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-27 14:51 . 2008-02-27 14:51 46,125 --a------ C:\WINDOWS\FontData.fdb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 16:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-07 20:38 --------- d-----w C:\Program Files\ESET
2008-02-27 10:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-02-05 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-02-05 15:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
2008-02-05 15:39 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-02-05 15:39 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-02-05 15:34 --------- d-----w C:\Program Files\Nokia
2008-02-05 15:34 --------- d-----w C:\Program Files\Common Files\Nokia
2008-02-05 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nokia
2008-01-31 08:59 --------- d-----w C:\Program Files\Google
2008-01-23 13:40 --------- d-----w C:\Program Files\DatawareGames
2008-01-18 08:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-06 17:53 20034600]
"DrvMon.exe"="C:\WINDOWS\system32\DrvMon.exe" [2004-09-22 09:53 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 12:27 222208]
"USRobotics USB Internet Mini Phone"="C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe" [2006-06-07 13:53 338432]
"USRobotics USB Internet Mini Phone Control Panel"="C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe" [2006-06-07 13:51 2115584]
"Microsoft Windows Update x86"="Winxdiag.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2007-03-05 18:53 206456]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 18:29 61440]
"VTTimer"="VTTimer.exe" [2005-03-07 20:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 10:33 147456 C:\WINDOWS\system32\VTTrayp.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Windows Update x86"="Winxdiag.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14588:TCP"= 14588:TCP:NortonAV
"16888:TCP"= 16888:TCP:NortonAV

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-02-02 12:31]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-03-09 10:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 10:27:50
ComboFix-quarantined-files.txt 2008-03-09 09:27:34
ComboFix2.txt 2008-03-08 16:26:59




-------------------------------------------------------------------------



Gmer Rootkit scan:

mycity.rs/must-login.png

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

Folder::
C:\Program Files\MySearch
C:\Program Files\MyWay

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows Update x86"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Windows Update x86"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C9-189F-421a-88CD-07CFE51CFF10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant]




Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.

Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Ko je trenutno na forumu
 

Ukupno su 675 korisnika na forumu :: 11 registrovanih, 2 sakrivenih i 662 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 9k38, drimer, esx66, Kruger, Lazarus, minmatar34957, mrav pesadinac, nick79, vasa.93, VP6919, 125